Nothing but excellent news in the hybrid Exchange realm these days! Microsoft recently updated the support statement for cross-premises permissions in a hybrid deployment. As of now, Full Access delegate permissions are supported cross-premises. I know many customers will be delighted to hear this as this has been a big ask for quite some time now.
It’s important to understand that the support only applies to Full Access permissions, as stated here. Other permissions like Send-As, Receive-As or Send-on-Behalf are still not supported. Note that Microsoft is in the process of updating its documentation; you should see a more consistent message across TechNet over the next few days!
Although full access permissions have been reported to work intermittently, no cross-premises permissions were supported previously. As such, you could not rely on them working either. From what I understand, the plumbing was already in place for a while but the intermittent results were partially due to the Outlook client not honoring them quite as one would expect. Provided you have the November 2015 update to Outlook 2013, you should no longer run into any problems.
As you move mailboxes to Office 365, permissions are migrated along. If you already had permissions assigned before the move, there is nothing you need to do. Although the permissions were also migrated previously, you had to move connected mailboxes at the same time so they would be hosted in the same organization in order for them to work. Not too long ago, I was talking to a customer who started out with a handful of mailboxes to move to Office 365 but ended up with a huge migration batch because of the interweaved permissions… As of now, this is no longer needed, making planning for migration batches a lot easier!
You should now also be able to add the Full Access permissions after mailboxes have been moved. This means you can give an on-premises mailbox access to a mailbox in Office 365 and the other way around without having to set the permissions prior to moving the target mailbox to Office 365.
In order to explain things more clearly, I have put together a Q&A. I hope this helps!
What cross-premises permissions are supported in a hybrid deployment today?
Full Access only. Other delegate permissions like Send-As, Receive-As or Send-on-Behalf are not. There are no changes to cross-premises calendar delegation either. That continues to work the same way it did before.
Will the permissions work both ways?
Yes. On-premises mailboxes can access Office 365 mailboxes and vice versa.
What do I need to do to make this work?
Nothing, really. Just make sure you are using an up-to-date Outlook client. For Outlook 2013, this means you need at least the November 2015 Cumulative Updates. Needless to say, the more up-to-date you are, the better!
In order to add permissions for a recipient in the other organization, you can either use PowerShell or the Exchange Admin Center. Unlike the EAC in Office 365, you cannot use the on-premises EAC to grant an Office 365 mailbox access to an on-premises mailbox. For that you must revert to using PowerShell.
How do I add permissions to an Office 365 mailbox for an on-premises recipient?
Follow these steps to add Full Access permissions to an Office 365 mailbox for an on-premises recipient:
Login to the EAC in Office 365 (Exchange Online)
Navigate to recipients > mailboxes and then select properties of the mailbox you want to add Full Access permissions for.
In the properties window, navigate to mailbox delegation
Scroll down to you get to the Full Access From there, use the recipient picker (plus-sign) to add the on-premises mailbox you wish to grant permissions to:
How do I add permissions to an on-premises mailbox for an Office 365 recipient?
As mentioned earlier, you cannot use the EAC to add permissions for an Office 365 recipient. Instead, you must use the on-premises Exchange Management Shell. Don’t worry it’s quite simple!
Unlike for permissions in the same environment, the AutoMapping feature is not supported. Hence why I specified the –AutoMapping $false parameter. I suspect the permissions to work without adding the parameter too!
What will my users see?
There is no difference in how Outlook displays an Office 365 mailbox over an on-premises mailbox you have access to. However, an on-premises user might get prompted for credentials when trying to access a mailbox in Office 365. This is because, in the back, the Outlook client must establish a connection with the Office 365 service first.
How that looks, depends on a number of things like the version of the Outlook client, whether you use Modern Authentication and whether or not they already have another Office 365 mailboxes in their Outlook profile.
Consider the following scenario: you are about to implement directory synchronization for Office 365. You have multiple Active Directory sites across several, geographically dispersed, locations all over the world. Unsurprisingly, some of these locations have better connectivity than others and you might not want AAD Connect to connect to Domain Controllers in locations with a slow or high latency connection at the risk of slowing down the entire process.
When Azure AD Connect connects to a new forest, it uses DNS to locate domain controllers it needs to connect to. Without additional configuration, it is very difficult to control or know exactly which Domain Controllers AAD Connect will connect to. I believe that within the domain it is installed in, AAD Connect will try and connect to Domain Controllers within the same site first –but I’m still waiting on getting that confirmed. Even if that is true, that would not necessarily be the case for remote forests as there is no way for AAD Connect to know which site in the remote forest is closest.
Once AAD Connect is installed, you will find that it is relatively easy to define a (static) list of Domain Controllers that AAD Connect should connect to.
First, open up the Synchronization Service Manager on your AAD Connect server. This executable (miisclient.exe) is typically located in “C:\Program Files\Microsoft Azure AD Sync\UIShell”
Navigate to Connectors and locate the connector, specific for your domain (forest). Note that the screenshot below only shows a single domain. If you are in a multi-forest environment and you might see multiple:
Right-click the connector and choose Properties.
In the properties window, go to Configure Directory Partitions and make sure to check the box next to Only use preferred domain controllers:
In the Configure Preferred DCs window, add the domain controllers you want AAD Connect to interface with. You can order the domain controllers preference by moving them up/down the list.
Click OK to confirm the changes.
That’s all there is to it. Now, Azure AD Connect will only talk to the Domain Controllers you have specified.
I know it’s been a while since I last posted here, but that’s just because I’ve been super busy with lots of things. Besides speaking at IT/Dev Connections and writing the Office 365 for IT Professionals ebook with Tony Redmond and Paul Cunningham, I have been working on some really exciting things at ENow! Amongst other cool new features, we recently developed new remote probes for our Exchange and Office 365 solutions. These probes allow you to monitor specific functionality such as the Autodiscover process or the ability to logon through AD FS from various locations other than your HQ or datacenter. I’m sure that this is something that larger organizations with multiple sites will appreciated!
This being said, I have other good news too! I am excited to share with you that Paul Robichaux, a long-time Exchange Server MVP will be joining the ranks at ENow as Vice President and CTO!
I’ve known Paul personally for a few years now, and I look forward to working with him at ENow. Paul is one of the people who inspired me to work in technology and more specifically in the area of Exchange. Even before I knew Paul personally, I was a big fan of him and his work. The many books and articles he authored have helped me through many of the endeavors in my early career –and they continue to do so today. Needless to say, his track record speaks for itself. And let’s not forget that he used to teach classes for the Microsoft Certified Solutions Master (MCM/MCSM) program as well!
Office 365 is very important to us. Back in 2012, ENow was the first to develop Mailscape 365, our best-in-class Office 365 monitoring and analytics solution. Since then, a lot of things have changed. We work hard to continuously improve our solution. Not only to meet the changing needs of our customers but also to evolve along with Office 365 –which changes faster than ever before. In order to align with the pace of change in Office 365, ENow moved to the Agile development process which allows us to respond more quickly to those changes and push out updates to our customers as quickly as possible. That Paul is joining our team reinforces ENow’s commitment to the future and is a herald of what more is to come!
Behind the curtains we are working on some really interesting things. Unfortunately, I cannot share too much about what that entails just yet. But trust me when I tell you it is BIG! Paul’s background in software development and his expertise in the area of Office 365 will play an important role in solidifying our position as a leading ISV in the Office 365 space as well as in the development of our future products and platforms.
Make sure to keep an eye out on the official ENow blog for future announcements. On my end, I’ll promise to update content on this website a little more often…!
It’s been a while since I last wrote an article… Although there’s no excuses, I have been pretty busy lately…
First of all, I’ve been ‘heads down’ preparing version 2 of the “Office 365 for Exchange Professionals” ebook.
As Microsoft recently announced, there have been a LOT of updates and those need to be reflected in the book too!
New items include information on the new hybrid configuration wizard, modern authentication, Azure AD Connect and so much more… As Tony mentioned on his blog, we plan on releasing “v2” at IT/DEV Connections in September. If you are attending IT/DEV Connection, Tony, Paul and I will be there too. Make sure to come and talk to us. We’d love to hear your feedback on the book.
This brings me to the conference itself. This year, I am lucky enough to be speaking there again. IT/DEV Connections is without a doubt one of my favorite tech conferences. It runs at a smaller scale than e.g. Ignite, but there’s a TON of great sessions, all led by even greater speakers! The fact that you aren’t overrun by ten thousands of other attendees allows you to interact with all the speakers. If not during the sessions, there are plenty of opportunities at the evening events or in hallway! You still have time to register, so if you are looking to attend a conference this ‘season’, IT/DEV Connections is what I would recommend. As usual, the conference is held in Las Vegas from September 14 – 17, in the beautiful Aria hotel.
I have two sessions this year. One about Identity Management and Authentication in the online Microsoft world. Although I still have a lot of work to do for my sessions (making sure I provide you with the latest information!), I can share with you that I will also be talking about Windows Hello and Microsoft Passport. This session is on Thursday at 8:30 AM.
The second session is somewhat different from what you’ve usually see me present about. On Wednesday at 11AM, I will be speaking about automation. The idea is not to be giving a theoretical session about how e.g. PowerShell DSC is supposed to work or what PowerShell is; other people are probably better suited for that! It won’t be a level 400 coding session either. I’m no developer and I’m also not a PowerShell guru! It’s rather a hands-on, real-world approach about how you can use all sorts of tools (mainly PowerShell though, but also e.g. Orchestrator) to automate simple and more complex tasks. The idea for this session grew from visiting customers all over the world and seeing how they automated service tasks, onboarding etc… By the end of the session you should have picked up some ideas about what can be useful to you and how to best approach and build it!
Later in September, I will be joining another fantastic line-up of speakers at the UK UC Day in Birmingham. This is the first time this one-day conference is held, but the organisation did not spare any efforts. A lot of speakers from IT/DEV Connections will be there and it’s good to see some speakers join us from the US too! This time, I will be speaking about hybrid deployments in all its glory. Single-forest, Multi-Forest, AAD Connect and many other things will be discussed. A high-paced session, but definitely for you if you are in a hybrid deployment, you are looking to configure a hybrid connection or you’re a consultant that deals a lot with hybrid!
ENow will be represented at both conferences as well! In the UK we are joined by the team of Essentials. Make sure to stop at our booth and have a conversation! We look forward to another great conference and an even greater Scheduled Maintenance party!
Office 365 provides various authentication options, such as cloud-IDs, Password Hash Synchronization or federated identities. Leaving out the specifics on how each of these options work, all of them are configured per domain. Whenever trying to access services in Office 365, the user is required to authenticate using its User Principal Name. For sake of simplicity, the general advise it to configure the UPN to match the email address which makes it less confusing for them.
The April 2015 Security Bulletin, Microsoft released an update for Active Directory Federation Service 3.0 which comes with Windows Server 2012 R2.
According to the documentation, the vulnerability would allow an attacker to gain access to an application – such as Office 365. Apparently the flaw is in the logoff process. As I understand it from the limited information available, although the user appears to have logged off, the logoff actually failed allowing an attacker to re-use the existing token to access the application as the user.
Although the bulletin mentions that Microsoft has no knowledge of any cases where this vulnerability was exploited, I personally wouldn’t wait for it to happen to me… 🙂
More information can be found here: https://technet.microsoft.com/library/security/MS15-040
As mentioned before, the purpose of this article series is to explore 3rd-party federation solutions that work with Office 365 and which can be an alternative to a Windows’ built-in ADFS server role. In this first article however, I will be discussing a solution which is somewhat different from the others that I will be looking into.
In fact, this solution is not really very different from a regular deployment. The company behind this solution is Celestix, whom have made their name with similar approaches for TMG, UAG and before that ISA servers. This time around, they [Celestix] have made an ADFS appliance out of a ‘regular’ Windows Server 2012 R2 machine. Through a custom web page, which is built into the appliance as a service in Windows, you have the ability to easily configure ADFS and DirSync by following a couple steps in the “Quick Setup Wizard”. Under the hood, the wizard will configure Microsoft’s implementation of ADFS and DirSync for you.
(the appliance’s web portal)
For this article series, Celestix was so kind to send me a (test)example of their A-Series (3400) appliance which is targeted at small to medium-sized organizations. The appliance is built on top of an Intel i5 CPU with a total of 8GB of RAM. Based on my experiences in the field, this ought to be more than enough for most (smaller) environments. There’s also a larger model which – by taking a look at the specs – is targeted more at the enterprise level. The CPU is upgraded to an Xeon E3 and comes with 16GB of RAM. More importantly though, the big brother (A-6400) comes with 2 redundant hot-swappable hard drives and powers supplies, whereas its little brother doesn’t have any of that.
It’s safe to assume that an appliance would cost anywhere between $ 4,000 and $ 5,000 (but don’t hold me to that!). For that kind of money – even though it includes the license for Windows too – it would be nice to have had at least a redundant hard drive; just for peace of mind. But then again, not many vendors offer that with their entry-level models.
(unboxing the appliance)
Celestix also has a solution for the ADFS Proxy role, which is built into their E-Series “Cloud Edge” appliance. I haven’t tested that appliance myself, but I can only assume it operates in a similar way as the A-Series. If you want a highly available setup, you will have to purchase at least 4 devices –just like you would do for a regular Windows-based ADFS setup; 2 Cloud Edge devices (to replace the ADFS proxy servers) and 2 A-Series appliances for the ADFS servers.
It is true that you could setup a (virtual) machine yourself and go through the configuration just as easy –that is if you know the steps to execute. But on the other hand, the configuration of ADFS in Windows Server 2012 R2 has become quite easy to do. On top of that, Microsoft is putting quite a bit effort into making it even more easy through e.g. Azure AD Connect; a solution which lets you configure DirSync and AD FS through a wizard. And that solutions comes for “free”… (although nothing is truly free; there’s always some overhead to take into account). Another thing I’m a little “worried” about is the device’s ability to upgrade specific software components. Right now, the appliance is equipped with ‘regular’ DirSync (not AAD Sync). If you are not looking to configure a multi-organization hybrid deployment or if you don’t have multiple forests, this should not be a problem at this very moment. But on the other hand, Microsoft has already mentioned that AAD Sync is the successor to DirSync which means the latter will disappear at some point.
It will be interesting to see how Celestix will deal with the upgrade to AADSync on the same appliance. As you might know, there is no in-place upgrade and switching from the one to the other is (sometimes) a little daunting. The current guidance for the upgrade is to uninstall DirSync and then install AADsync, at least – that’s the theory! And we all know how theories work in real life… When I spoke with the Celestix folks, they told me they were already working on figuring out a way to deal with this and they are also working on a version of their appliance that comes with AAD Sync out-of-the box.
A good thing about this appliance – unlike most other appliance – is that you have full control over the underlying operating system: you can RDP into it at any time and make changes where needed – of course, within the guidance of the vendor! But when it comes to ADFS or DirSync, this means that you could implement custom ADFS Claim Rules or configure some filtering rules. Unfortunately, there is no web interface for that.
One thing which I didn’t particularly like is how one would deal with high availability – but that might be a personal thing. When purchasing multiple devices, the web interface allows you to start the Windows Network Load Balancin management interface to setup an array and include multiple appliances. While NLB might work just fine, I’m not particularly fond of it. Also, the web interface launches the Windows NLB console; there’s no built-in wizard which guides you through the setup. I would have loved to see this feature be developed a little more – for instance including a wizard which sets up Windows Network Load Balancing, or which includes additional health checks over the built-in TCP connection-based health check. It is do-able, there are even some code samples that you can find on the internet: http://msdn.microsoft.com/en-us/library/cc307934(v=vs.85).aspx
I’m not saying it’s easy per se, but it would provide a lot of value for the audience which I think would benefit most from these kind of appliances.
Configuring AD FS & DirSync
Now that we’ve discussed the device a little, let’s take a look at home to start configuring it.
After having it connected to the network, I used the dial button on the device to do the basic networking configuration (assigning IP address etc). The configuration itself went fairly easy, but I was unable to connect to the device afterwards. It left me baffled for a moment, but after rebooting the appliance, I could connect to the web interface just right.
The first thing that I noticed is how clean the interface is. It’s particularly easy to navigate, and I had no problems finding what I needed. Through the Start menu-item, you can launch the Quick Setup Wizard where you immediately get the opportunity to join the machine to the domain.
Next up is a (mandatory) reboot, just like you would expect when joining a Windows machine to a domain:
After each reboot, the wizard will automatically continue where it left off. The next step is to start configuring ADFS. I chose to configure ADFS in the most simple way possible, using the built-in Windows Internal Database:
Oddly enough, the appliance does not allow you to generate a CSR. This means that you already have to have exported the certificate (with public key) before. It’s not a big deal, but it would have been nice if one could really work ‘from scratch’ here:
I chose the easy route: using Windows’ built-in database. The wizard also allows you to integrate with an existing SQL server – which is a requirement/recommendation for larger deployments:
Just like the wizard in Windows, you get a summary before firing of the wizard which will configure AD FS.
For those who have setup AD FS in Windows Server 2012 R2 before, you will notice that the wizard which Celestix uses is very similar: all the steps in this wizard are also the ones that you have to step through when configuring a Windows ADFS server.
It takes a few minutes to setup AD FS. Once this is done, you can go back to the wizard, which will then give you the option to configure “Office 365 Integration”. This means as much as: setup DirSync.
Next, you have to enter the Office 365 (Global Administrator) credentials, and you choose which domain you want to federate:
At this point, the appliance was giving me a hard time. It wouldn’t continue and displayed the following error message. As any administrator would do, I restarted it and was able to move on.
On the next page, I was able to specify some settings for DirSync. If you have setup DirSync manually before, I’m sure you will recognize them:
And that was it. After clicking “Next”, DirSync ran and I was able to successfully logon using ADFS:
The ADFS login-page. Just as you would expect:
What I particularly like about this solution is that it has some built-in reports. This can be very useful as the built-in AD FS roles does not come with that capability and looking for the right events in the Event Viewer can be time-consuming (unless you have already some reporting solution / PowerShell script that does that for you).
The first report is the ADFS Activity Report which gives you more information about the current authentication requests etc. I’ve simulated some failed logons and they showed up promptly (and correctly) in the interface:
The second report is more of a health statistics page. It will tell you if the required components are running and display some statistics about general usage.
The beauty of these reports are their simplicity. Unfortunately, I have not found a way to configure an alert when multiple failed logons occur. I was assured by Celestix that this is something they are working on for the future, and I welcome that. It would be really helpful if the right people in the organization would get a message when you might be under attack (or when just “more than usual” failed login attempts happen…).
In order not to go overboard with this article, there are some features (which are less important to the “ADFS Aspect” of the appliance) that I did not discuss. For instance, the web interface allows you to restrict access through the device’s Jog Dial (by configuring a password) and
I really liked the appliance, though I cannot speak to its performance and operations over time. Aside of some occasional hiccups (i.e. having to reboot the appliance through the wizard), I’ve had no problems configuring and getting it to work in a matter of a little more than one hour. Given that this is a v1-version, I trust these little wrinkles will sort themselves out shortly.
All things considered, some might find value in such an appliance, others might not. It all depends on what you are looking for. Personally, I don’t think there’s much value to be found if you are looking something to “replace” your AD FS servers with. However, if you take into account the (childishly) easy web interface and the built-in reports or if you have a small deployment and do not want the burden to manage additional servers, it might be a different story!
Stay tuned as in the next part of this article series, I will be discussing Okta for Office 365!
To make a long story short, if Outlook Anywhere is disabled at the user level, Autodiscover does not return the External EWS URL which is required to make the Free/Busy call.
The solution is as simple as the problem itself: re-enable Outlook Anywhere for the user and you would be fine. Of course, this might – depending on your environment – be a little challenging. This being said, however, I do suggest that you configure and (if possible) use Outlook Anywhere as it will make your life easier down the road (e.g. for migrations to Exchange 2013).
In 2013, Exchange Server MVP Mike Crowley wrote a script which would interactively report on the Office 365 Directory Synchronization tool. In 2014, Mike and I worked to update the script so that an HTML report would be generated. This would allow you to schedule the script and have the output emailed to you without the need to run the script interactively.
Before you can actually run the script, you will have to install SQL PowerShell on the AADSync machine first. DirSync had this installed by default, but it seems that AADSync does not. To install the SQL PS module, you must install the following components separately:
Microsoft® System CLR Types for Microsoft® SQL Server® 2012
Today, Microsoft released its latest updates for Exchange 2007, 2010 and 2013.
The updates for Exchange 2007 and 2010 mostly evolve around the Daylight Saving Time changes and a bunch of fixes for the latter version.
Cumulative Update 6 for Exchange 2013 doesn’t introduce any new feature or feature changes, but I’m happy to see that the Hybrid Configuration Wizard bug – which caused the HCW to fail – is now included by default. An Interim Update was already available, but it’s nice to see it included into the full build.
Along with a bunch of other fixes, Cumulative Update 6 now also closes the gap with Office 365 when it comes to Public Folder performance and scalability: you can now also deploy up to 100,000 public folders on-premises. Along with this change, there are some other (minor) behavioral changes which Microsoft outlined beautifully here.
For more information on these updates, have a look at the following announcements for Microsoft: