Yesterday, Microsoft announced the Organization Config Transfer feature (OCT) in the Hybrid Configuration Wizard. The feature is expected to start showing up starting late June 2018. In an ongoing effort to improve the Wizard, I believe this is a step in the right direction. Ever since the HCW was first conceived, running the HCW resulted in a series of steps which you had to (manually) run through to ensure that the Exchange Online configuration matched the on-premises configuration.
For example, you had to recreate the retention policies and tags that existed in the on-premises organization if you wanted to continue to use them in Exchange Online (and not to lose them during a migration!). The same was true for other policies like the OWA Mailbox Policy or ActiveSync Policy.
With the OCT feature, the HCW will automatically take care of that and copy the settings of the following elements to Exchange online for you:
Retention Policy Tags
OWA Mailbox Policy
Mobile Device Mailbox Policy
Active Sync Mailbox Policy
Note: in this version of the HCW, it will only copy “new” policies. These are policies that do not exist in Exchange Online. If a policy with the same name already exists in Exchange Online, or when you update the policy in the on-premises organization after it has been copied to Exchange Online, the OCT-feature will not “sync” the policy or updates thereof across. As per statement from Microsoft, this is something for the next version of the feature.
Some might say this is only a small addition to the HCW, and while it might not (yet) benefit existing Hybrid customers, it’s a welcome addition for any consultant working on getting customers across to Exchange Online as it makes life just a little easier!
I’m looking forward to what Microsoft has more for hybrid in the future. Remember BRK3155 at Ignite 2017? There was a ton of cool new stuff announced, but only little has been delivered so far… Let’s see what Microsoft might deliver for Ignite 2018 as, traditionally, there seems to be a sprint to get a lot of new features out of the door ahead of the annual conference of conferences.
Today, Microsoft has made some quite big (and important!) announcements around the work they are doing to improve the experience for Hybrid Exchange customers. These announcements were all “dropped” during session BRK3155 (How to thrive as an organization in Exchange Online), and – for most – came quite unexpected. If there’s one piece of feedback I would give Microsoft, it would be to better align the title of such sessions to their content!
This being said, with everything that was mentioned, I figured it would be a good idea to summarize it all (without going into too much detail) in a short write-up. As time permits, I will go into more detail on each of these items later this week.
If you’re not interested in more information about each feature, and just care about the headlines, here’s what was announced:
Cross-premises delegation permissions (e.g. Send-on-Behalf, Calendar permissions, …) will be fully supported. Expected timeframe is Q1/2018. Fix for this is already rolling out in the service.
Microsoft is working to solve the Automapping problem in hybrid deployments. Fix is being rolled out and (Private) Preview starting soon.
In the future you will be able to remove the last Exchange server after having moved all mailboxes to the cloud. Plumbing for this has already started and expected to be released in the coming 12-18 months. Though with Microsoft, you never know!
Microsoft is working on allowing you to move mailboxes cross-tenant. The capability to do so has been demoed in the session, but more work is needed to offer a more holistic approach. This is important, because cross-tenant migrations entail more than just moving mailboxes. There’s mail routing, there’s other workloads and – perhaps most importantly – there’s the need for proper governance. None of which was discussed (or showed) at this time. The timeline for this capability is the coming 12-18 months. This means that 3rd-party vendors (like QuadroTech, BinaryTree) are still very much needed to facilitate such scenarios today. Microsoft isn’t just there yet. Future will tell how useful Microsoft’s capability will be and how 3rd-party vendors will adopt to enhance the experience even further.
To drive down complexity for hybrid deployments, a new hybrid solution backbone is being developed. This backbone which uses a “connector” will no longer require inbound connections (no more firewall ports to be opened) and is part of the solution for earlier new features. Think of the connector like an Azure App Proxy which uses the same principle (I wouldn’t be surprised that it’s a modified version thereof). Exchange Online will then, instead of using the “Public” Internet, route traffic to the connector through which it then makes its way to on-prem (outbound TCP443 connection). Timeline is in the next 6 months or so.
Send-As permissions are a bit harder to solve. This will require item 4 to be solved (which will probably require item 5 to be done too). However, once that is done, this scenario will be covered as well. Today, however, the workaround is to explicitly define permissions in both EXO/On-Prem (it works!).
Other news – not necessarily hybrid related – that was announced in this session:
Client Access Rules are coming to Exchange Online. These rules allow you to control how someone can access Exchange Online.
new On Send events allow you to create add-ins which can fire when someone sends a message (e.g. DLP, content inspection, classification etc.). Currently only for OWA. Outlook clients coming (much) later.
There’s plenty of exciting stuff coming in the next few months. For now, we will still have to work with the limitations that exist, but if you are in the planning phase for Hybrid Exchange, it might be worth keeping these announcements in the back of your mind.
As things unfold over the coming weeks and months, I will be covering a lot of the details here, and in the Office 365 for IT Pros ebook. Make sure to grab your copy here!
Just a few weeks ago, Microsoft announced a new feature in its line-up of hybrid Exchange capabilities: the Minimal Hybrid Configuration option. With the introduction of this new capability, Microsoft seems to have responded to a long-standing question from customers who can now move mailboxes to Office 365 without the need to deploy a ‘full’ Hybrid configuration.
Nothing but excellent news in the hybrid Exchange realm these days! Microsoft recently updated the support statement for cross-premises permissions in a hybrid deployment. As of now, Full Access delegate permissions are supported cross-premises. I know many customers will be delighted to hear this as this has been a big ask for quite some time now.
It’s important to understand that the support only applies to Full Access permissions, as stated here. Other permissions like Send-As, Receive-As or Send-on-Behalf are still not supported. Note that Microsoft is in the process of updating its documentation; you should see a more consistent message across TechNet over the next few days!
Although full access permissions have been reported to work intermittently, no cross-premises permissions were supported previously. As such, you could not rely on them working either. From what I understand, the plumbing was already in place for a while but the intermittent results were partially due to the Outlook client not honoring them quite as one would expect. Provided you have the November 2015 update to Outlook 2013, you should no longer run into any problems.
As you move mailboxes to Office 365, permissions are migrated along. If you already had permissions assigned before the move, there is nothing you need to do. Although the permissions were also migrated previously, you had to move connected mailboxes at the same time so they would be hosted in the same organization in order for them to work. Not too long ago, I was talking to a customer who started out with a handful of mailboxes to move to Office 365 but ended up with a huge migration batch because of the interweaved permissions… As of now, this is no longer needed, making planning for migration batches a lot easier!
You should now also be able to add the Full Access permissions after mailboxes have been moved. This means you can give an on-premises mailbox access to a mailbox in Office 365 and the other way around without having to set the permissions prior to moving the target mailbox to Office 365.
In order to explain things more clearly, I have put together a Q&A. I hope this helps!
What cross-premises permissions are supported in a hybrid deployment today?
Full Access only. Other delegate permissions like Send-As, Receive-As or Send-on-Behalf are not. There are no changes to cross-premises calendar delegation either. That continues to work the same way it did before.
Will the permissions work both ways?
Yes. On-premises mailboxes can access Office 365 mailboxes and vice versa.
What do I need to do to make this work?
Nothing, really. Just make sure you are using an up-to-date Outlook client. For Outlook 2013, this means you need at least the November 2015 Cumulative Updates. Needless to say, the more up-to-date you are, the better!
In order to add permissions for a recipient in the other organization, you can either use PowerShell or the Exchange Admin Center. Unlike the EAC in Office 365, you cannot use the on-premises EAC to grant an Office 365 mailbox access to an on-premises mailbox. For that you must revert to using PowerShell.
How do I add permissions to an Office 365 mailbox for an on-premises recipient?
Follow these steps to add Full Access permissions to an Office 365 mailbox for an on-premises recipient:
Login to the EAC in Office 365 (Exchange Online)
Navigate to recipients > mailboxes and then select properties of the mailbox you want to add Full Access permissions for.
In the properties window, navigate to mailbox delegation
Scroll down to you get to the Full Access From there, use the recipient picker (plus-sign) to add the on-premises mailbox you wish to grant permissions to:
How do I add permissions to an on-premises mailbox for an Office 365 recipient?
As mentioned earlier, you cannot use the EAC to add permissions for an Office 365 recipient. Instead, you must use the on-premises Exchange Management Shell. Don’t worry it’s quite simple!
Unlike for permissions in the same environment, the AutoMapping feature is not supported. Hence why I specified the –AutoMapping $false parameter. I suspect the permissions to work without adding the parameter too!
What will my users see?
There is no difference in how Outlook displays an Office 365 mailbox over an on-premises mailbox you have access to. However, an on-premises user might get prompted for credentials when trying to access a mailbox in Office 365. This is because, in the back, the Outlook client must establish a connection with the Office 365 service first.
How that looks, depends on a number of things like the version of the Outlook client, whether you use Modern Authentication and whether or not they already have another Office 365 mailboxes in their Outlook profile.
It’s been a while since I last wrote an article… Although there’s no excuses, I have been pretty busy lately…
First of all, I’ve been ‘heads down’ preparing version 2 of the “Office 365 for Exchange Professionals” ebook.
As Microsoft recently announced, there have been a LOT of updates and those need to be reflected in the book too!
New items include information on the new hybrid configuration wizard, modern authentication, Azure AD Connect and so much more… As Tony mentioned on his blog, we plan on releasing “v2” at IT/DEV Connections in September. If you are attending IT/DEV Connection, Tony, Paul and I will be there too. Make sure to come and talk to us. We’d love to hear your feedback on the book.
This brings me to the conference itself. This year, I am lucky enough to be speaking there again. IT/DEV Connections is without a doubt one of my favorite tech conferences. It runs at a smaller scale than e.g. Ignite, but there’s a TON of great sessions, all led by even greater speakers! The fact that you aren’t overrun by ten thousands of other attendees allows you to interact with all the speakers. If not during the sessions, there are plenty of opportunities at the evening events or in hallway! You still have time to register, so if you are looking to attend a conference this ‘season’, IT/DEV Connections is what I would recommend. As usual, the conference is held in Las Vegas from September 14 – 17, in the beautiful Aria hotel.
I have two sessions this year. One about Identity Management and Authentication in the online Microsoft world. Although I still have a lot of work to do for my sessions (making sure I provide you with the latest information!), I can share with you that I will also be talking about Windows Hello and Microsoft Passport. This session is on Thursday at 8:30 AM.
The second session is somewhat different from what you’ve usually see me present about. On Wednesday at 11AM, I will be speaking about automation. The idea is not to be giving a theoretical session about how e.g. PowerShell DSC is supposed to work or what PowerShell is; other people are probably better suited for that! It won’t be a level 400 coding session either. I’m no developer and I’m also not a PowerShell guru! It’s rather a hands-on, real-world approach about how you can use all sorts of tools (mainly PowerShell though, but also e.g. Orchestrator) to automate simple and more complex tasks. The idea for this session grew from visiting customers all over the world and seeing how they automated service tasks, onboarding etc… By the end of the session you should have picked up some ideas about what can be useful to you and how to best approach and build it!
Later in September, I will be joining another fantastic line-up of speakers at the UK UC Day in Birmingham. This is the first time this one-day conference is held, but the organisation did not spare any efforts. A lot of speakers from IT/DEV Connections will be there and it’s good to see some speakers join us from the US too! This time, I will be speaking about hybrid deployments in all its glory. Single-forest, Multi-Forest, AAD Connect and many other things will be discussed. A high-paced session, but definitely for you if you are in a hybrid deployment, you are looking to configure a hybrid connection or you’re a consultant that deals a lot with hybrid!
ENow will be represented at both conferences as well! In the UK we are joined by the team of Essentials. Make sure to stop at our booth and have a conversation! We look forward to another great conference and an even greater Scheduled Maintenance party!
A few days ago, Microsoft released Cumulative Update 6 for Exchange 2013 to the world. There used to be a time where Exchange server updates were fairly safe. However, pretty much like in every other Cumulative Update for Exchange 2013, this one also includes some bugs which break functionality in one way or another. While one would say that it starts to become painful for Microsoft, I’m starting to believe it’s more of a joke.
Exchange Server MVP Jeff Guillet was the one to first report the issue. As it turns out, the Hybrid Configuration Wizard in CU6 runs just fine, but some of the features (like initiating a mailbox move from the on-premises EAC or the ability to switch between the on-prem/cloud EAC) no longer work. Although the scope of the break is somewhat limited (it only applies to customers in a hybrid deployment), one could argue it’s an important focus area for Microsoft – especially given that it’s cloud-related. Microsoft has been trying really hard (with success, may I add) to promote Office 365 and get customers to onboard to “the service”. As such, I find it really surprising that it’s the n-th issue related to hybrid deployments in such a short time. In Cumulative Update 5, the Hybrid Configuration Wizard is broken and now there’s this.
Needless to say, you are warned about deploying Cumulative Updates into production. Pretty much every MVP which announced the Cumulative Update made the remark that you should better test the update before deploying it. I would say this is a general best-practice, but given the history of recent Exchange Server updates, I wouldn’t dare to deploy one without thoroughly testing it.
This brings me to another point: what happened to testing, Microsoft? I understand that it’s impossible to test every customer scenario that you can find out there, but how come that pretty obvious functionalities like these manage to slip through the cracks? If it were a one-time event, I could understand. But there’s a clear trend developing here.
Running a service like Office 365 is not easy. More so, the cadence at which the service evolves can be really scathing. On-premises customers have been struggling to keep up with the updates that are being released in the cloud, but it seems that Microsoft itself is having a hard time to keep up too.
On a final note, I’m wondering what customers with a hybrid deployment should do. According to Microsoft support guidelines, hybrid customers are requested to stay current with Exchange Server updates. But given that this is now two consecutive update that are causing problems, one might start to wonder if it’s not better to stay at CU4 as it was the last CU which did not have any hybrid issues…
I imagine that Microsoft is working hard on a fix for this issue, even during a holiday weekend… Let’s wait and see what happens early next week!
Until then, I would hold off on deploying CU6 and revert to using CU5 with the interim update which fixes the HCW bug or – if you don’t like IUs – stick to CU4/SP1.
Over the past twelve years I’ve gone through a series of jobs, from being a support agent at a helpdesk to being an Exchange consultant at Xylos today. All of the opportunities I have had and the customers I’ve worked with allowed me to grow as a consultant and as a person. I’m very grateful for the opportunities Xylos has offered me, but after having spent a little over six years working for them, I thought it was time for me to look forward and accept a new challenge.
As such, I’m happy and excited to announce that I will be joining ENow Software as of September 1st of this year as Product Director for their Exchange Monitoring and Reporting tools: Mailscape and Mailscape for Exchange Online. I look forward to working with all of the customers and getting feedback from the community to make the software even better than it already is today. Part of the reason why I chose for ENow is their unique approach and philosophy. ENow started out as a consulting company and continues to provide professional services which allows me to stay true to my “roots”.
I’m very excited about this new adventure as it allows me to combine the things I love to do along with the ability to contribute to a great piece of software. Over the past few months I have been working closely with ENow in order to build Mailscape for Exchange Online. So far, customers are thrilled with what they see and we have plenty more to come! (Did you know that Mailscape for Exchange Online was also nominated for the The Best of TechEd awards?)
In order to keep up with the ever-changing landscape in IT, I will continue to consult for ENow’s customers, albeit that I will spend less time doing so than I currently do. I strongly believe that staying hands-on with Exchange, Office 365 and everything related, will allow me to contribute better on a technical level but also allow me to better understand how our software should work with everything Microsoft does.
Of course, I will continue to blog here, speak at various tech conferences and be part of The UC Architects podcast. As a matter of fact, I’ll be speaking at Exchange Connections in September in Vegas where I will be presenting two sessions and a one-day workshop on deploying a Hybrid Exchange environment. If you haven’t signed up, I strongly suggest you do: after all IT/DEV Connections is one of the rare conferences where you get the chance to meet with real-world experts presenting no-nonsense and hands-on topics on various Microsoft technologies. This year’s edition has everything to make it even better than last year’s, including a new location: the beautiful Aria hotel/convention center.
Although I won’t officially be starting until September, feel free to reach out to me regarding Mailscape or ENow’s software in general. I’ll be more than happy to assist you with any questions you have. As always, you can follow me on twitter (@mvanhorenbeeck) or send me an email on firstname.lastname@example.org!
Recently, I got asked to assist with a Hybrid Configuration Wizard which was failing with the following error message:
Updating hybrid configuration failed with error ’Subtask NeedsConfiguration execution failed: Configure Mail Flow Default Receive Connector cannot be found on server <server name>. at Microsoft.Exchange.Management.Hybrid.MailFlowTask.DoOnPremisesReceiveConnectorNeedConfiguration() at…
Although the message might not reveal much information at first sight, it does contain everything we need to start troubleshooting. Typically, I would suggest you go and have a look into the Hybrid Configuration Wizard log files (located in the logging\Update-HybridConfiguration folder), but the only thing you would find there is the exact same error message.
First, we know that the HCW is trying to configure the hybrid mail flow and that it failed trying to modify the default connector that’s in place. More specifically, it was trying to modify the receive connector on the server that’s specified in the error message.
In this particular case, it wasn’t even able to find the Default Receive Connector. However, when you run the Get-ReceiveConnector -Server <servername>, the receive connector does show up. How is this possible?
The Hybrid Configuration Wizard looks at more specifics than just the existence of the connector. In fact, it will check that the connector’s configuration is valid as well. As such, it will check the bindings on the connector and expect that both bindings for IPv4 and IPv6 are present. So to check whether your existing connector is valid, you should run the following command:
In this particular case, the IPv6 bindings were missing. This was caused because IPv6 was disabled on the server (which shouldn’t be!). Re-enabling IPv6 and then either manually adding the binding to the connector or re-creating the connector solved the issue.
The morale here is that you shouldn’t disable IPv6 on an Exchange 2013 box. Even more so, it’s not supported if you do. I’ve seen companies that still disable IPv6 by default; maybe a remainder from earlier times where disabling IPv6 would actually solve issues instead of creating them. However, times have changed and the IPv6 implementation in Windows is much better now…
As posted here, Microsoft today released Cumulative Update 5 for Exchange 2013. At first sight, this update doesn’t appear to make lots of changes – at least not visibly. However, it does contain a lot of fixes and, as you will find out, there have been some changes to the Hybrid Configuration Wizard as well.
New options in the Hybrid Configuration Wizard
Whenever you enable an organization for a hybrid deployment in CU5, you will find the following new option:
21Vianet is Microsoft’s partner which offers Office 365 in China. You could say that they “host” Office 365 for Chinese customers as outlined in this Press Release
MRS Proxy now configured automatically
This is one of my personal asks for quite a long time now. Although the HCW already did an excellent job configuring all the components for a hybrid deployment, it did not enable the MRS Proxy on the Exchange Web Services Virtual Directory. Even though you could do it yourself with only a single command, I’m a big fan of having the HCW take care of this. It’s one less thing you can forget yourself!
OAuth now configured automatically
You’ll also notice that towards the end, the Hybrid Configuration Wizard will now prompt you to configure oAuth automatically:
The wizard will then automatically redirect you to a webpage where you’ll be asked to start the configuration (again):
Once you click configure, you will be asked to download an application which will automatically configure oAuth for you. Because it seems to be browser-integrated, you cannot run this step from a computer other than your Exchange Server and then copy over the executable. Beware and make sure that you run the HCW from the Exchange server itself instead from a remote workstation, like I tried the first time…
Once the first application was downloaded, you’ll be asked to run it:
Note: make sure that *.configure.office.com is added to your trusted sites or that you at least allow content to be downloaded from that website.
Then, after this first application ran, you’ll be prompted for an identical, second, application. Only this time the application (or assistant, if you will) will be a bit bigger: 22.2 MB instead of 18MB.
Once the second assistant completed successfully, you’ll see the following:
Note The configuration of the Intra-Organization Connector is the only thing that’s already handled by the Hybrid Configuration Wizard itself.
It’s definitely a good thing this is now done automatically. However, I would love to see it be more integrated with the HCW. At the moment, these changes don’t show up in the Hybrid Configuration Wizard logs.
It was already clear that Microsoft is moving forward with oAuth; potentially to replace other technologies currently used in Hybrid deployments. Personally, I wouldn’t be too surprised to see oAuth take over the duties from Microsoft’s Federation Gateway in the future. Not sure if this will actually happen, but it seems like a good thing. If you have ever been in a discussion with a pesky security administrator you would understand why… But don’t expect that to happen in a few months’ time though – as long as Exchange 2010 is officially supported, I reckon Microsoft will have to keep the MFG around.
It’s surely a good thing to move forward with oAuth as it has the potential to solve some long-standing issues regarding the handling of authentication and security in a cross-premises scenario like a hybrid deployment.
Today, Microsoft released Cumulative Update 5 for Exchange 2013 and Update Rollup 6 for Exchange 2010.
Exchange 2013 Cumulative Update 5
Next to a ton of bug fixes, Microsoft made changes to a few components including:
Offline Address Book generation
Hybrid Configuration Wizard
Except for the above changes, it looks like CU5 will mostly consist of fixes. By the looks of it and as Tony Redmond already pointed out CU5 promises to be a stable release. Whether it will stay that way is something only time will tell…
Installing Cumulative Update 5
Installing CU5 is no different from older versions. You can also immediately upgrade from any previous version of Exchange 2013 to CU5. There is no requirement to install SP1 (a.k.a. CU4) first.
After installation, Microsoft warns there might be a Managed Availability probe which went into overdrive and repeatedly restarts a newly added service called the Microsoft Exchange Shared Cache Service. However, this service isn’t used in CU5 (planned for the future?) and as such there is no impact at all.
However, if you are worried about your application log filling up with events from Managed Availability, you can disable the probe. More information can be found here.
This update also includes Active Directory changes, so you will be required to extend the AD schema. Given that you’re used to it by now, this shouldn’t present much of a problem. For more information on how to deploy a Cumulative Update, I suggest you have a look at the following article by ExchangeServerPro: