Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.

Revoke Access from compromised office 365 account

Revoke access

When you have aaccount in your organization that has been hacked or compromised you need to take immediate action to prevent a security dilemma inside of your organization.

For instance when the credentials of a account are compromised. This account can be used for sending out bad emails with malware  and even worse skimming. This will result in a bad Image for your company.

Actions against compromised account

When a account is compromised you need to revoke access to this account. You can perform this with a password reset. What most admin do not know is that this change does not kick in straight away. To speed this process up, the best thing to do is run a “Revoke-AzureADUserAllRefreshToken” on the user’s account. (make sure you are using the connect-azuread module)

Now you are sure that this account has a new password and logging in is impossible.

There is a scenario that the account can still send emails to others. In this case the best thing to do is to create a transport rule. The Transport rule can prevent the user to send out malicious emails.

There is also a way to prevent most of these dangers with the implementation of Azure AD identity protection.

 

 

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Office 365 B2B Guest invites with Powershell (without invite email)

Intro add guest user in office 365 with B2B

Sometimes you need to let external users get access to your Office 365 tenant . When this is one user you can just invite the user from the site (Office 365 B2B Guest invites). But what will you do when you need to give access to lots of users without a invite.

In this article i explain how you can add multiple users (10, 100, 1000, 10000 ) as a guest to you office 365 tenant.

First of all you need to do the manual invite Once and give the user you have invite 2 roles.

  1. Usermanagement
  2. Invite guests

The invite guests role explains itself, but you need the usermanagement for changing attributes or removing the user from the tenant.

Ok lets start with Office 365 B2B Guest invites

Invite a users from your source tenant in your destination tenant. When you have done this the user should be in your office 365 tenant under guest with a name like.

user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com

When you have checked this you can execute the following command to give the right permissions to that user.

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress “user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com”
*note: the invited user gets an email which he needs to accept so for testing purposes give him a Exchange online license.
OK now we have done this you can check this in AzureAD under Map role under the user account and it should be looking like this (sorry for the Dutch).
Untitled
Oke so now we have created a invite account in the destination tenant which is allow to invite users from his Own tenant into your tenant. And the good part is that the users he will invite will not get a Invitation email when you execute the following powershell command.
#Connect to destination tenant with the credential of the inviter account (yes i know you can use a keyfile)
$Username = “Inviteraccount”
$Password = “Inviteraccount password”
$PasswordSecured = Convertto-SecureString –String $Password –AsPlainText –Force
$UserCredential = New-object System.Management.Automation.PSCredential $Username,$PasswordSecured
Connect-AzureAD -Credential $UserCredential -TenantDomain “j3rmeyerDEV.onmicrosoft.com”
#Invite the user
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress “user2@domain.com” -InvitedUserDisplayName “User2” -sendinvitationmessage $false -InviteRedirectUrl “https://j3rmeyerdev.sharepoint.com”

In a following blog post i will show you how you can easily loop true the users in Activedirectory and add them as a guest without a invite in you Office 365 tenant.

How to Fix Duplicate Exchange Guid Errors in Office 365

When you are migrating users to office 365 you can get a lot off issues. One of these issues is when you have duplication errors in your tenant. Duplicate Exchange online Guid Errors can can generate a lot of issues. Think about duplicate accounts or Mailusers are not removable.

When you see these issues you probably do not have a clue on what to do  but actually these issues are pretty easy to fix:

Fix Duplicate Exchange Guid Errors:

This fix contains a lot of powershelling to get the error hashes and data you need to perform the action to restore this. To perform these actions with ease i recommend you install the latest versions of Powershell before you continue and make sure you have the permissions needed to continue to Duplicate Exchange Guid Errors

(Get-MsolUser -UserPrincipalName affecteduser@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Search in EXO PowerShell for the object that is using the mentioned EXchangeGUID or ArchiveGUID:

Get-Recipient -IncludeSoftDeletedRecipients ‘ExchangeGUID value’|ft RecipientType,PrimarySmtpAddress,*WhenSoftDeleted*

Once you found the object that is using this ExchangeGUID or ArchiveGUID, you have to purge it. When you purge it you have 2 options The softdeleted mailuser removal or Usermailbox removal.

1. If it is a softdeleted MailUser:

Remove-MailUser ‘ExchangeGUID value’ -PermanentlyDelete

2. If it is a softdeleted UserMailbox, run:

Remove-Mailbox ‘ExchangeGUID value’ -PermanentlyDelete

If this command fails due to mailbox being protected by hold, you have to disable the hold first(check if data backup is required):

Set-Mailbox user@domain.com -LitigationHoldEnabled $false -InactiveMailbox

If it turns to be an active mailuser/mailbox that is using this ExchangeGUID/ArchiveGUID, you need to evaluate the option to purge that user. Most of the time Purging is needed to continue with the actions.

Next step after purging.

After the faulty object has been purged from EXO, we need to fix the validation error by forcing the object provisioning:

Get-MsolUser -UserPrincipalName user@domain.com |fl *objectID*

Redo-MsolProvisionUser -ObjectId ‘paste the *objectID* value from above command’

Wait for 5 minutes and then run the next command, to confirm if your validation error is fixed:

(Get-MsolUser -UserPrincipalName user@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Office 365 Hybrid migration error: StalledDueToTarget_DiskLatency

The error that you get refers to : ‘StalledDueToTarget_DiskLatency’

StalledDueToTarget_DiskLatency

To be straight to the point this is an issue where you can do nothing about. Link
When you get the message StalledDuetoTarget_DiskLatency . This means that it has to do with the Exchange Online servers and not with the On-premises infrastructure, so there is nothing you can do locally.

In this case the only thing you can do is open a case with Microsoft. When you have done this ask them what can be the cause of this error from the target side (Office 365).

It would be a good idea to open a case with them mentioning the error (StalledDuetoTarget_DiskLatency) and ask them if they can perform a change that might improve the migration speed.

Click here to read other posts for more Exchange related posts.

The Power of Enterprise Mobility Suite (EMS)

Microsoft Enterprise Mobility Suite (EMS) is set of tools including Microsoft Intune, Azure AD and Azure RMS to help you manage your mobile devices to control the mobilityof your users and customers. But where do you start?

Trying new technology is hard, particularly in Enterprise Mobility. Microsoft is the exception. With Enterprise Mobility Suite (EMS) you are up and running and trying mobility management in just a few minutes if you’re doing it right!

Enterprise Mobility Suite is a kind of group of mobility tools. As the name suggests Microsoft’s new and improved offering is a suite of often leading components, that come together.

“Where do I start with these tools?”

You’ll be set up in about 5 steps.

  1. Get a 30 day trial for Office 365(see below)
  2. Get a 30 day trial for EMS suite
  3. Synchronize an on-premises AD to Azure AD
  4. Configure mobile device authorities most of the time with a certificate
  5. Enroll a device
  6. And there you are

Microsoft has one place for user accounts: Active Directory.

One of the big benefits of EMS is that it doesn’t harm your identity strategy. You need Active Directory and with Enterprise Mobility Suite Microsoft safely extend your on-prem AD DS to the modern architecture  of Azure AD (you don’t need an on-prem AD as the solution is cloud stand-alone too).

The idea, of extending your on-prem AD to the internet, might sound daunting, but it really is a good idea. Because you are able to use your identities on lots of more places.

Office 365, Microsoft Intune and ANY apps you want can share your Azure AD. lots are built-in, out of the box (like Salesforce, Facebook, Box and Nomadesk)!

Manage Devices and Apps with Microsoft Intune

If identity is the fundamental of enterprise mobility management then device management is the first floor and application management is the second floor. Mobility management technology has evolved to deal with the newer challenges that mobility in today’s world faces.

You probably know of MDM – Mobile Device Management. MDM manages things like remote wipe, applying company policy I suppose an old school admin would see MDM as the Group Policy of the modern device world.

This type is the need to control what you need on a device. It’s an essential layer in today’s world. If you use Office 365 and or Azure, you want Microsoft Intune, no matter what device platform (Windows, iOS, Android).

Protecting Data with Azure Rights Management

Azure RMS will protect your data and only allow the people intended to have access to it under the right conditions. Protection has become much more important and easier to deliver.

Example: You install a Azure RMS Connector servers on-prem and your Exchange, SharePoint, and File Servers can be protected by Azure RMS. Besides that you can bring your own key and Azure will store your keys in a safe vault.

The Power of Tools

With the above you can do some amazing things. You can protect all your data on your OneDrive  and allow enrolled devices with MDM (Intune) to have access to the information where you have access to from any device.

In some situations EMS can help you out in the most worst case scenarios:

  • The user loses their device: You know that it protects the data at rest, even if you can’t remote wipe it.
  • If the user leaves the company: You can remove the apps and the data that the user was accessing and know they have no access to further data.
  • when the user sells their device without wiping it: You can block the devices access while leaving their access intact.

Quick Start trials

  1. Do you have an Office 365 trial? If not get one. If you do, make sure it’s still valid and then return to click Sign in.

Office 365 proberen

  1. Go get an Azure trial, or if you already have one you can just use that.
  2. Now go get a Microsoft EMS Trial, be sure to click the Sign in button and be signed in with your Office 365 trial. You can add EMS to your free Office365 Subscription.

When do i use Onedrive and when to use SharePoint

Often I get the question when you save a file in OneDrive or in SharePoint, this is a common question from customers and colleagues when doing a migration. This is mainly because you can use both platforms to store files and collaborate. Yet there are major differences in the platforms which may affect the way you work significantly.

Save files to OneDrive for business

OneDrive for Business is an application that allows to save files locally and in the Cloud. From OneDrive for Business it is possible to synchronize files across multiple devices and share those files with others.
But when do I put the files in OneDrive for business and when do I store it in SharePoint Online.
Below you find a number of reasons when you use OneDrive:

• If you do not plan to share them with others.
• A small group of people working on files.

When you work on files that are not directly related to a project and are only important for you but you want the ease to share with others. Then you can make the best use of OneDrive.

Save files to a SharePoint team or project site library

A SharePoint site is a place where users can collaborate on files and ideas. The team site is set up so that users of the team site can communicate with each other. In addition, a team site is more like workflows wiki’s and the task functionality so that the team can work better together.

• You want to place a file on the team site when it is important for the team.
• If you want to have more influence on the rights which are distributed.
• If you want to use Workflows for approving documents and other files
• If you expect that all related files of the project are in the team site.
• If you want to use extended metadata and this will trigger a checkin and check out

A Project site is designed so here are the key components to run a project.
• You want to place a file on the project as it is important for the project.
• If you want to have more influence on the rights which are distributed.
• If you want to create tasks for team members which have linked a document.
• If you expect that all related files of the project are in the team site.
• If you want to use extended metadata and this will trigger a check in and check out
• If you want a place where you can run your basic project management and have features like tasks and timeline at your disposal.

In some cases, you can make the best use of Office Groups. The Groups functionality includes a OneDrive for business that focuses on a small set of people. Groups is actually a SharePoint team site with the functionality of OneDrive for Business and SharePoint library. Where you have a calendar, email address and OneDrive will also now added Yammer. In the modern teamsite the Group functions are also offered in a team site.

Setting up Shared mailboxes in Exchange online with Powershell

Often when you migrate users to Office365 you need to configure permissions for Shared Mailboxes. Bellow you find a small instruction on how to do this.

Connect to Exchange Online with Remote PowerShell

  1. Click Start
  2. Click Administrative Tools
  3. Right Click Windows PowerShell Modules and Run as administrator
  4. Set the Excution Policy on the local coputer
  5. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
  6. Press “Y” for yes when/if prompted
  7. Specify remote credentials through a variable
  8. $cred=Get-Credential
  9. Enter your tenant admin account
  10. Enter password
  11. Set a session variable and connect to Exchange Online, enter command
  12. $s =New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic –AllowRedirection
  13. Import the session with the variable set in previous step.
  14. $importresults =Import-PSSession $s
mailboxes
mailboxes

Now you are connected to Exchange online with powershell.

Setup Shared Mailbox

The following section is copied from Microsoft. See this site for complete details. http://help.outlook.com/140/ee441202.aspx

After you create a shared mailboxes, you have to assign permissions to all users who require access to the shared mailbox. Users can’t sign in to the shared mailboxes. They have to sign in to their own mailbox and then open the shared mailbox to which they’ve been assigned permissions.

Here’s how to use PowerShell to create and configure a shared mailbox for the Corporate Printing Services department at Contoso Corporation.

Create a shared mailboxes To create the shared mailbox for Corporate Printing Services, run one of the following commands:

Office 365

New-Mailbox -Name “info” -Alias corpprint -PrimarySmtp info@yourdomain.com -Shared

Set-Mailbox info -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB

 

Create a security group for the users who need access to the shared mailbox In the Exchange Control Panel, create a security group for the staff who need access to the shared mailbox for Corporate Printing Services.

  1. Select My Organization Exchange> Users & Groups > Distribution Groups > New.
  2. Specify a display name, alias, and e-mail address. In this example, we’ll use Info, Companygroup, and Info@yourdomain.com.
  3. Select the Make this group a security group check box.
  4. In the Ownership section, click Add to add an owner, if necessary.
  5. In the Membership section, click Add.
  6. In the Select Members page, select the users you want to add. When you are finished, click OK.
  7. On the New Group page, click Save.

Note After you create a security group, the membership is closed. When membership is closed, only group owners can add members to the security group, or owners have to approve requests to join the group. Additionally, only group owners can remove members from the security group.

 

Assign the security group the FullAccess permission to access the shared mailbox

To enable members of the Printing Services Staff security group to open the mailbox, read e-mail, and use the calendar, run the following command:

Add-MailboxPermission “info” -User Companygroup -AccessRights FullAccess

 

Assign the security group the SendAs permission to the shared mailbox

To enable members of the Printing Services Staff security group to send e-mail from the mailbox, run the following command:

Add-RecipientPermission “Info” -Trustee Companygroup -AccessRights SendAs

Note It may take up to 60 minutes until users can access a new shared mailbox or until a new security group member can access a shared mailbox