How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script
Please follow and like us:

Export all mailboxes with their sizes to TXT or CSV with Powershell

Export mailboxes

Most of the time when you are into a Mailbox migration project you have this phase that you need to inventory the amount of user mailboxes. With their size. Do you want to perform such action you need to use Exchange Powershell to be able to get these kind of data out of Exchange.

Powershell

To export this mailbox data out of exchange you can use the command Get-MailboxStatistics -identity “sAMACCOUNTNAME” | fl. This will give you a complete list of the output matched with the j3rmeyer account/ mailbox in exchange.

If you look further you notice that there is actually only one useful unique attribute (so you can match this later on with Active Directory). That one attribute is the ‘MailboxGuid’.

To get this data i a useful way out of exchange the best thing to do is combine this data together with the DisplayName.

The script

In this script i will combine the Display name with the MailboxGuid and the total size of the mailbox in MB. This is not all i want i want to export all the mailboxes on that specified Exchange server. To do that you need to give in the Server name instead of the identity of the user.

Below you will find the script i use to export such data:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount > c:\temp\mailbox_sizes_

emailboxserver.txt

So when you want to change the output file into an Excel CSV file instead of TXT. It is possible use the Powershell script below to perform such action:

Get-MailboxStatistics -server “DATABASESERVERNAME” | Sort-Object TotalItemSize -Descending | ft DisplayName,

mailboxguid, @{label=”TotalItemSize(KB)”;expression={$_.TotalItemSize.Value.ToKB()}},ItemCount | Out-File C:\temp\mailbox_sizes_emailserver.csv

 

Please follow and like us:

Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN
  • Targetaddress

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.

 

I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

Please follow and like us:

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Please follow and like us:

Office 365 B2B Guest invites with Powershell (without invite email)

Intro add guest user in office 365 with B2B

Sometimes you need to let external users get access to your Office 365 tenant . When this is one user you can just invite the user from the site (Office 365 B2B Guest invites). But what will you do when you need to give access to lots of users without a invite.

In this article i explain how you can add multiple users (10, 100, 1000, 10000 ) as a guest to you office 365 tenant.

First of all you need to do the manual invite Once and give the user you have invite 2 roles.

  1. Usermanagement
  2. Invite guests

The invite guests role explains itself, but you need the usermanagement for changing attributes or removing the user from the tenant.

Ok lets start with Office 365 B2B Guest invites

Invite a users from your source tenant in your destination tenant. When you have done this the user should be in your office 365 tenant under guest with a name like.

user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com

When you have checked this you can execute the following command to give the right permissions to that user.

Add-MsolRoleMember -RoleObjectId 95e79109-95c0-4d8e-aee3-d01accf2d47b -RoleMemberEmailAddress “user_domain.com#EXT#@j3rmeyerDEV.onmicrosoft.com”
*note: the invited user gets an email which he needs to accept so for testing purposes give him a Exchange online license.
OK now we have done this you can check this in AzureAD under Map role under the user account and it should be looking like this (sorry for the Dutch).
Untitled
Oke so now we have created a invite account in the destination tenant which is allow to invite users from his Own tenant into your tenant. And the good part is that the users he will invite will not get a Invitation email when you execute the following powershell command.
#Connect to destination tenant with the credential of the inviter account (yes i know you can use a keyfile)
$Username = “Inviteraccount”
$Password = “Inviteraccount password”
$PasswordSecured = Convertto-SecureString –String $Password –AsPlainText –Force
$UserCredential = New-object System.Management.Automation.PSCredential $Username,$PasswordSecured
Connect-AzureAD -Credential $UserCredential -TenantDomain “j3rmeyerDEV.onmicrosoft.com”
#Invite the user
$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress “user2@domain.com” -InvitedUserDisplayName “User2” -sendinvitationmessage $false -InviteRedirectUrl “https://j3rmeyerdev.sharepoint.com”

In a following blog post i will show you how you can easily loop true the users in Activedirectory and add them as a guest without a invite in you Office 365 tenant.

Please follow and like us:

How to Fix Duplicate Exchange Guid Errors in Office 365

When you are migrating users to office 365 you can get a lot off issues. One of these issues is when you have duplication errors in your tenant. Duplicate Exchange online Guid Errors can can generate a lot of issues. Think about duplicate accounts or Mailusers are not removable.

When you see these issues you probably do not have a clue on what to do  but actually these issues are pretty easy to fix:

Fix Duplicate Exchange Guid Errors:

This fix contains a lot of powershelling to get the error hashes and data you need to perform the action to restore this. To perform these actions with ease i recommend you install the latest versions of Powershell before you continue and make sure you have the permissions needed to continue to Duplicate Exchange Guid Errors

(Get-MsolUser -UserPrincipalName affecteduser@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Search in EXO PowerShell for the object that is using the mentioned EXchangeGUID or ArchiveGUID:

Get-Recipient -IncludeSoftDeletedRecipients ‘ExchangeGUID value’|ft RecipientType,PrimarySmtpAddress,*WhenSoftDeleted*

Once you found the object that is using this ExchangeGUID or ArchiveGUID, you have to purge it. When you purge it you have 2 options The softdeleted mailuser removal or Usermailbox removal.

1. If it is a softdeleted MailUser:

Remove-MailUser ‘ExchangeGUID value’ -PermanentlyDelete

2. If it is a softdeleted UserMailbox, run:

Remove-Mailbox ‘ExchangeGUID value’ -PermanentlyDelete

If this command fails due to mailbox being protected by hold, you have to disable the hold first(check if data backup is required):

Set-Mailbox user@domain.com -LitigationHoldEnabled $false -InactiveMailbox

If it turns to be an active mailuser/mailbox that is using this ExchangeGUID/ArchiveGUID, you need to evaluate the option to purge that user. Most of the time Purging is needed to continue with the actions.

Next step after purging.

After the faulty object has been purged from EXO, we need to fix the validation error by forcing the object provisioning:

Get-MsolUser -UserPrincipalName user@domain.com |fl *objectID*

Redo-MsolProvisionUser -ObjectId ‘paste the *objectID* value from above command’

Wait for 5 minutes and then run the next command, to confirm if your validation error is fixed:

(Get-MsolUser -UserPrincipalName user@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Please follow and like us:

Office 365 Hybrid migration error: StalledDueToTarget_DiskLatency

The error that you get refers to : ‘StalledDueToTarget_DiskLatency’

StalledDueToTarget_DiskLatency

To be straight to the point this is an issue where you can do nothing about. Link
When you get the message StalledDuetoTarget_DiskLatency . This means that it has to do with the Exchange Online servers and not with the On-premises infrastructure, so there is nothing you can do locally.

In this case the only thing you can do is open a case with Microsoft. When you have done this ask them what can be the cause of this error from the target side (Office 365).

It would be a good idea to open a case with them mentioning the error (StalledDuetoTarget_DiskLatency) and ask them if they can perform a change that might improve the migration speed.

Click here to read other posts for more Exchange related posts.

Please follow and like us: