Co-management with Intune and System Center (SCCM)

What is Co-management

Since a couple of weeks Microsoft has introduced Co-management with Intune and System Center Configuration manager. So what does co management means?  Co-management enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads to the cloud. Where they first used sccm.

As an example you can move the workload for Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr yet for other workloads such as software distribution and device security configurations.

In simple words, SCCM Intune co-management is a dual management capability offered for Windows 10 1709 (Fall Creators Update) devices.

Prerequisites

To use Co-management you must make sure your environment has the following prequisites.

  • Your system center environment (sccm) must be updated to SCCM CB 1709
  • The Windows 10 devices must be rolled out with the fall creators update Windows 10 1709
  • You need an active Intune with  subscription
  • You need an active Azure ad Premium with subscription

If you have the prequisites from above you can start configuring the setup.

Setting up Co-management

When you have installed verion 1709 of system center you can start configuring the Co management feature. You can do this as followed.

Step1: Launch you sccm console

Step2: Go to administration

Step3: Go to overview

Step4: Cloud Services

Step5: Click on Co-management and select Configure Co-management

Enable System center Co-Management for SCCM Intune Managed Devices

When you have configured Co-manangement for Intune and system center you need to enable the feature. There are two ways to enable SCCM co-management.

  1. Enable Co-management for SCCM managed devices
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for SCCM Managed Devices with Intune, you need to select one of the following options.

  • Select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune

Enable Co-management for Intune Managed Devices

To enable co-management for Intune managed devices with SCCM, so you need to create an application in Intune. The application will install a SCCM client at the  Intune managed devices. SCCM team provided sample command line to install SCCM client. (you can find this in the Wizard).

Seems like this is actually it. So If you need more information You can use the following resources at Microsoft

  • Co-management for Windows 10 devices – here
  • Migrate hybrid MDM users and devices to Intune standalone – here
  • Microsoft 365 and SCCM Windows 10 Co-Management – here

Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN
  • Targetaddress

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.

 

I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

Migrating Azure AD connect to new Active directory domain

Migrate Azure AD connect

When you want to migrate Azure AD Connect to another domain, so things can become pretty complicated. These kind of migrations can also create a lot of issues and unknown errors. The best thing to do before you start such a migration is to prepare this scenario in a testlab.

Disable Azure AD connect

First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.

Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:

Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:

Disable directory synchronization.  So to do this, type the following cmdlet, and then press Enter:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.

Install the new Azure AD connect

When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.

The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

What does the attributes do

  • The UserPrincipalName (UPN) of the users is the login name to Office 365.
  • ProxyAddresses are all your email addresses, both primary and alias.
  • The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
  • msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
  • msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
  • msExchRecipientDisplayType sets the type of account that is used (List of references)
  • msExchRemoteRecipientType

Match Immutable ID

The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute  is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.

*note if you have used something else please make sure this part is covert.

Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us,  you can use the Command below.

Set-msolUser -UserprincipalName “jerry.meyer@domain.com” -immutableID “$null”

Enable AzureAD sync and reinstall Azure AD connect

The next step is to enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.

When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match  a new ImmutableID is created and written to Azure AD.

Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.

Revoke Access from compromised office 365 account

Revoke access

When you have aaccount in your organization that has been hacked or compromised you need to take immediate action to prevent a security dilemma inside of your organization.

For instance when the credentials of a account are compromised. This account can be used for sending out bad emails with malware  and even worse skimming. This will result in a bad Image for your company.

Actions against compromised account

When a account is compromised you need to revoke access to this account. You can perform this with a password reset. What most admin do not know is that this change does not kick in straight away. To speed this process up, the best thing to do is run a “Revoke-AzureADUserAllRefreshToken” on the user’s account. (make sure you are using the connect-azuread module)

Now you are sure that this account has a new password and logging in is impossible.

There is a scenario that the account can still send emails to others. In this case the best thing to do is to create a transport rule. The Transport rule can prevent the user to send out malicious emails.

There is also a way to prevent most of these dangers with the implementation of Azure AD identity protection.

 

 

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Office 365 B2B Guest invites with Powershell (without invite email)

Intro add guest user in office 365 with B2B

Sometimes you need to let external users get access to your Office 365 tenant . When this is one user you can just invite the user from the site (Office 365 B2B Guest invites). But what will you do when you need to give access to lots of users without a invite.

In this article i explain how you can add multiple users (10, 100, 1000, 10000 ) as a guest to you office 365 tenant.

First of all you need to do the manual invite Once and give the user you have invite 2 roles.

  1. Usermanagement
  2. Invite guests

The invite guests role explains itself, but you need the usermanagement for changing attributes or removing the user from the tenant.

Ok lets start with Office 365 B2B Guest invites

Invite a users from your source tenant in your destination tenant. When you have done this the user should be in your office 365 tenant under guest with a name like.

user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com

When you have checked this you can execute the following command to give the right permissions to that user.

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress “user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com”
*note: the invited user gets an email which he needs to accept so for testing purposes give him a Exchange online license.
OK now we have done this you can check this in AzureAD under Map role under the user account and it should be looking like this (sorry for the Dutch).
Untitled
Oke so now we have created a invite account in the destination tenant which is allow to invite users from his Own tenant into your tenant. And the good part is that the users he will invite will not get a Invitation email when you execute the following powershell command.
#Connect to destination tenant with the credential of the inviter account (yes i know you can use a keyfile)
$Username = “Inviteraccount”
$Password = “Inviteraccount password”
$PasswordSecured = Convertto-SecureString –String $Password –AsPlainText –Force
$UserCredential = New-object System.Management.Automation.PSCredential $Username,$PasswordSecured
Connect-AzureAD -Credential $UserCredential -TenantDomain “j3rmeyerDEV.onmicrosoft.com”
#Invite the user
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress “user2@domain.com” -InvitedUserDisplayName “User2” -sendinvitationmessage $false -InviteRedirectUrl “https://j3rmeyerdev.sharepoint.com”

In a following blog post i will show you how you can easily loop true the users in Activedirectory and add them as a guest without a invite in you Office 365 tenant.

How to Fix Duplicate Exchange Guid Errors in Office 365

When you are migrating users to office 365 you can get a lot off issues. One of these issues is when you have duplication errors in your tenant. Duplicate Exchange online Guid Errors can can generate a lot of issues. Think about duplicate accounts or Mailusers are not removable.

When you see these issues you probably do not have a clue on what to do  but actually these issues are pretty easy to fix:

Fix Duplicate Exchange Guid Errors:

This fix contains a lot of powershelling to get the error hashes and data you need to perform the action to restore this. To perform these actions with ease i recommend you install the latest versions of Powershell before you continue and make sure you have the permissions needed to continue to Duplicate Exchange Guid Errors

(Get-MsolUser -UserPrincipalName affecteduser@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Search in EXO PowerShell for the object that is using the mentioned EXchangeGUID or ArchiveGUID:

Get-Recipient -IncludeSoftDeletedRecipients ‘ExchangeGUID value’|ft RecipientType,PrimarySmtpAddress,*WhenSoftDeleted*

Once you found the object that is using this ExchangeGUID or ArchiveGUID, you have to purge it. When you purge it you have 2 options The softdeleted mailuser removal or Usermailbox removal.

1. If it is a softdeleted MailUser:

Remove-MailUser ‘ExchangeGUID value’ -PermanentlyDelete

2. If it is a softdeleted UserMailbox, run:

Remove-Mailbox ‘ExchangeGUID value’ -PermanentlyDelete

If this command fails due to mailbox being protected by hold, you have to disable the hold first(check if data backup is required):

Set-Mailbox user@domain.com -LitigationHoldEnabled $false -InactiveMailbox

If it turns to be an active mailuser/mailbox that is using this ExchangeGUID/ArchiveGUID, you need to evaluate the option to purge that user. Most of the time Purging is needed to continue with the actions.

Next step after purging.

After the faulty object has been purged from EXO, we need to fix the validation error by forcing the object provisioning:

Get-MsolUser -UserPrincipalName user@domain.com |fl *objectID*

Redo-MsolProvisionUser -ObjectId ‘paste the *objectID* value from above command’

Wait for 5 minutes and then run the next command, to confirm if your validation error is fixed:

(Get-MsolUser -UserPrincipalName user@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Office 365 Hybrid migration error: StalledDueToTarget_DiskLatency

The error that you get refers to : ‘StalledDueToTarget_DiskLatency’

StalledDueToTarget_DiskLatency

To be straight to the point this is an issue where you can do nothing about. Link
When you get the message StalledDuetoTarget_DiskLatency . This means that it has to do with the Exchange Online servers and not with the On-premises infrastructure, so there is nothing you can do locally.

In this case the only thing you can do is open a case with Microsoft. When you have done this ask them what can be the cause of this error from the target side (Office 365).

It would be a good idea to open a case with them mentioning the error (StalledDuetoTarget_DiskLatency) and ask them if they can perform a change that might improve the migration speed.

Click here to read other posts for more Exchange related posts.