Single Label Domain (SLD) and Azure AD Connect

The SLD Azure AD case

Some time ago I was at this customer where I needed to setup Azure AD from 2 forests and 7 domains. Essentially this customer wanted to move to Office 365 Exchange Online. When I was making an inventory of these domains I came across a Single Label Domain (SLD). And me at the age of 30 had never heard of this one.

Single label Domain (SLD)

So what is a single label domain. SLD is a name that is used to describe domains which have only a single name, and no suffix. As example, your Active Directory domain might have a name like company.local, but if it were Single Label, it might be just company.

Either way SLD or Single label domains are a pretty grey area when it comes to support when you need Microsoft. So some advice is to avoid them at all times.

Ok lets go back on topic. We have 2 Active Directory Forests One of these forest is Single label and we have 7 domains and one of these 7 domains is a Single label domain. All the rest is just a normal FQDN like company.local.

Now we get back to the part Microsoft that Microsoft does not support this.

Setting up Azure AD

When you start configuring Azure AD you get to a certain point that AzureAD is asks for you domain forest(s) to give in so it can discover the domain underneath. Both Forests will be discovered yes even the Single label One. And Yes it discovers all FQDN domain names underneath. Except the Single label domain that one will not be discovered.

I understand that this was a little confusing so see the table below :).

Forest.local

Discoverd

Forest.

Discoverd

Domain.local1

Yes

Domain.local5

Yes

Domain.local2

Yes

Domain.local6

Yes

Domain.local3

Yes

Domain.

No

Domain.local4

Yes

I tried some different kind of things to get the Domain. Discovered within Azure AD connect. In the end I found out that with creating a Host file gets it the domain discovered in Azure AD connect. So we moved to the next setup screen in Azure AD connect and that is letting Azure AD discover anything what is inside the domain and then I mean the objects itself.

This is never going to work even with the setup of the hosts file it doesn’t work. So this quest came to a end and we needed to figure out something else.

So what we did is we made a decision to create a new Forest with a new domain and move all the users to that domain. For this task we used ADMT. ADMT is a tool from Microsoft that provides a “copy” action to move Active Directory object from and to different type of domains.

Active Directory Migration Tool (ADMT)

Microsoft developed ADMT to speed the migration process and reduce the chance of errors. ADMT performs object migrations and security translations in a way to limit disruptions to let users access network resources while the migration is underway.

Check this URL if you want to start with ADMT.

https://www.microsoft.com/en-us/download/details.aspx?id=19188

Please follow and like us:

An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Please follow and like us:

How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script
Please follow and like us:

Monitor Windows AD and Azure AD Health with Microsoft OMS

What is Microsoft Operation Management Suite (OMS)

Oms (Microsoft Operations Management Suite) is Microsoft’s cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. In this case we will use OMS to monitor and sort of “manage” Azure AD connect and Azure AD identities.

Before we start with OMS

Bore we start there are some requirements.

  1.  We need a Valid OMS Subscription – OMS has different level of subscriptions. It is depending on the OMS services you use and amount of data you uploaded. Ther is a free version which provides 500mb daily upload and 7-days of data retention.
  2. Direct Connection to Azure AD
  3. Domain Administrator Account in order to install the agent in the domain controllers we need to have Domain Administrator privileges.
  4. Global admin account to perform some actions in Azure AD

How to enable OMS as an AD Solutions 

Log in to OMS https://login.mms.microsoft.com/signin.aspx?ref=ms_mms as OMS administrator

Click on Solution Gallery

By default, AD Assessment solution is enabled. In order to enable AD Replication Status  click on the tile from the solution list and then click on Add.

Install OMS Agents 
Next step of the configuration is to install monitoring agent in domain controllers and get them connected with OMS.
1. Log in to the domain controller as domain administrator
2. Log in to OMS portal
3. Go to Settings > Connected Sources > Windows Servers > click on Download Windows Agent (64bit). it will download the monitoring agent to the system.
4. Once it is download, double click on the setup and start the installation process.
5. In first windows of the wizard click Next to begin the installation.
6. In next window read and accept the licenses terms.
7. In next window, we can select where it should install. If there is on changes click Next to Continue.
8. In next window, it asks where it will connect to. In our scenario, it will connect to OMS directly.
9. In next window, it asks about OMS Workspace ID and Key. it can be found in OMS portal in Settings > Connected Sources > Windows Servers. if this server is behind proxy server, we also can specify the proxy setting in this window. Once relevant info provided click on Next to continue.
 10. In next window, it asks how I need to check agent updates. It is recommended to use windows updates option. Once selection has made, Click Next.
11. In confirmation page, click Install to begin the installation.
12. Follow same steps for other domain controllers.
13. After few minutes, we can see the newly added servers are connected as data source under Settings > Connected Sources > Windows Servers

How to view analyzed Data

After a few minutes, OMS will start to collect data and virtualize the findings. To view this data, log in to OMS portal and click on relevant solution gallery tile in home page. You will find your analysed/ assessed servers there. You also get a quick overview and some recommendations for these servers.
Once click on the tile it brings you to a page where it displays more details about its findings. You will get a nice overview with all the collected data and it even provides you some fixes

 How to collect Windows logs for Analysis

Using OMS, we also can collect windows logs and use OMS analyzing capabilities to analyze those. When this enabled, OMS space usage and bandwidth usage on organization end will be higher. In order to collect logs,
1. Log in to OMS portal
2. Go to Settings > Data > Windows Event Logs
3. In the box, you can search for the relevant log file name and add it to the list. We also can select which type of events to extract. Once selection is made click Save.
After few minutes, you can start to see the events under log search option. In their using queries we can filter out the data. Also, we can setup email alerts based on the specific events.
*source http://www.rebeladmin.com/
Please follow and like us:

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Please follow and like us:

Co-management with Intune and System Center (SCCM)

What is Co-management

Since a couple of weeks Microsoft has introduced Co-management with Intune and System Center Configuration manager. So what does co management means?  Co-management enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads to the cloud. Where they first used sccm.

As an example you can move the workload for Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr yet for other workloads such as software distribution and device security configurations.

In simple words, SCCM Intune co-management is a dual management capability offered for Windows 10 1709 (Fall Creators Update) devices.

Prerequisites

To use Co-management you must make sure your environment has the following prequisites.

  • Your system center environment (sccm) must be updated to SCCM CB 1709
  • The Windows 10 devices must be rolled out with the fall creators update Windows 10 1709
  • You need an active Intune with  subscription
  • You need an active Azure ad Premium with subscription

If you have the prequisites from above you can start configuring the setup.

Setting up Co-management

When you have installed verion 1709 of system center you can start configuring the Co management feature. You can do this as followed.

Step1: Launch you sccm console

Step2: Go to administration

Step3: Go to overview

Step4: Cloud Services

Step5: Click on Co-management and select Configure Co-management

Enable System center Co-Management for SCCM Intune Managed Devices

When you have configured Co-manangement for Intune and system center you need to enable the feature. There are two ways to enable SCCM co-management.

  1. Enable Co-management for SCCM managed devices
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for SCCM Managed Devices with Intune, you need to select one of the following options.

  • Select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune

Enable Co-management for Intune Managed Devices

To enable co-management for Intune managed devices with SCCM, so you need to create an application in Intune. The application will install a SCCM client at the  Intune managed devices. SCCM team provided sample command line to install SCCM client. (you can find this in the Wizard).

Seems like this is actually it. So If you need more information You can use the following resources at Microsoft

  • Co-management for Windows 10 devices – here
  • Migrate hybrid MDM users and devices to Intune standalone – here
  • Microsoft 365 and SCCM Windows 10 Co-Management – here
Please follow and like us:

Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN
  • Targetaddress

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.

 

I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

Please follow and like us:

Migrating Azure AD connect to new Active directory domain

Migrate Azure AD connect

When you want to migrate Azure AD Connect to another domain, so things can become pretty complicated. These kind of migrations can also create a lot of issues and unknown errors. The best thing to do before you start such a migration is to prepare this scenario in a testlab.

Disable Azure AD connect

First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.

Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:

Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:

Disable directory synchronization.  So to do this, type the following cmdlet, and then press Enter:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.

Install the new Azure AD connect

When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.

The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

What does the attributes do

  • The UserPrincipalName (UPN) of the users is the login name to Office 365.
  • ProxyAddresses are all your email addresses, both primary and alias.
  • The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
  • msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
  • msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
  • msExchRecipientDisplayType sets the type of account that is used (List of references)
  • msExchRemoteRecipientType

Match Immutable ID

The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute  is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.

*note if you have used something else please make sure this part is covert.

Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us,  you can use the Command below.

Set-msolUser -UserprincipalName “jerry.meyer@domain.com” -immutableID “$null”

Enable AzureAD sync and reinstall Azure AD connect

The next step is to enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.

When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match  a new ImmutableID is created and written to Azure AD.

Please follow and like us:

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

Please follow and like us:

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Please follow and like us: