Just a few weeks ago, Microsoft announced a new feature in its line-up of hybrid Exchange capabilities: the Minimal Hybrid Configuration option. With the introduction of this new capability, Microsoft seems to have responded to a long-standing question from customers who can now move mailboxes to Office 365 without the need to deploy a ‘full’ Hybrid configuration.
“Choose a job you love, and you will never have to work one day in your life. ~ Confucius”
Work is an important part of our everyday life. Given that, on average, one probably has to work about 40 years until retirement, it makes absolutely sense for someone to follow their passion!
A little over 20 months ago, I embarked on a journey with ENow as Director of Product Research. During that time, I’ve had the honor to work with great people and fantastic customers around the world, and I’m grateful for the opportunity I was given. I worked on exciting products and stood at the verge of very exciting times for ENow. Admitted: I loved every moment of it. But, all good things come to an end. Despite a fantastic job at ENow, and lots of interesting stuff to look forward to, I recently decided to take a different route.
Since April 1st (no joke!), I started working as an independent consultant and trainer again, albeit through my own company VH Consulting & Training. Being and independent consultant doesn’t mean working less. However, it does allow me to set my own schedule, and it enables me to pursue another passion of mine: Krav Maga. (I recently started training to become a Krav Maga Instructor and I hope being able to open up a training location near Kortrijk (Belgium), sometime later this, or next year.)
In the meantime, I won’t sit still of course! I look very much forward to my first challenge which brings me to Fujitsu Technology Solutions in Belgium, helping them further grow their Microsoft Services practice. I will also continue to work with ENow on an independent basis, continuing to provide professional services and working relentlessly to build the best-in-class monitoring solution! Should you also be interested in working with me, you can get in touch at www.vhct.be.
Aside from all that, I plan to continue writing, and I look forward to (hopefully) speak at a few conferences later this year! For now, however, I will return to writing new things for the next version the Office 365 e-book, due later in May. There is a lot of content that needs to be rewritten, and although it’s all very exciting stuff, things don’t write themselves!
Nothing but excellent news in the hybrid Exchange realm these days! Microsoft recently updated the support statement for cross-premises permissions in a hybrid deployment. As of now, Full Access delegate permissions are supported cross-premises. I know many customers will be delighted to hear this as this has been a big ask for quite some time now.
It’s important to understand that the support only applies to Full Access permissions, as stated here. Other permissions like Send-As, Receive-As or Send-on-Behalf are still not supported. Note that Microsoft is in the process of updating its documentation; you should see a more consistent message across TechNet over the next few days!
Although full access permissions have been reported to work intermittently, no cross-premises permissions were supported previously. As such, you could not rely on them working either. From what I understand, the plumbing was already in place for a while but the intermittent results were partially due to the Outlook client not honoring them quite as one would expect. Provided you have the November 2015 update to Outlook 2013, you should no longer run into any problems.
As you move mailboxes to Office 365, permissions are migrated along. If you already had permissions assigned before the move, there is nothing you need to do. Although the permissions were also migrated previously, you had to move connected mailboxes at the same time so they would be hosted in the same organization in order for them to work. Not too long ago, I was talking to a customer who started out with a handful of mailboxes to move to Office 365 but ended up with a huge migration batch because of the interweaved permissions… As of now, this is no longer needed, making planning for migration batches a lot easier!
You should now also be able to add the Full Access permissions after mailboxes have been moved. This means you can give an on-premises mailbox access to a mailbox in Office 365 and the other way around without having to set the permissions prior to moving the target mailbox to Office 365.
In order to explain things more clearly, I have put together a Q&A. I hope this helps!
What cross-premises permissions are supported in a hybrid deployment today?
Full Access only. Other delegate permissions like Send-As, Receive-As or Send-on-Behalf are not. There are no changes to cross-premises calendar delegation either. That continues to work the same way it did before.
Will the permissions work both ways?
Yes. On-premises mailboxes can access Office 365 mailboxes and vice versa.
What do I need to do to make this work?
Nothing, really. Just make sure you are using an up-to-date Outlook client. For Outlook 2013, this means you need at least the November 2015 Cumulative Updates. Needless to say, the more up-to-date you are, the better!
In order to add permissions for a recipient in the other organization, you can either use PowerShell or the Exchange Admin Center. Unlike the EAC in Office 365, you cannot use the on-premises EAC to grant an Office 365 mailbox access to an on-premises mailbox. For that you must revert to using PowerShell.
How do I add permissions to an Office 365 mailbox for an on-premises recipient?
Follow these steps to add Full Access permissions to an Office 365 mailbox for an on-premises recipient:
- Login to the EAC in Office 365 (Exchange Online)
- Navigate to recipients > mailboxes and then select properties of the mailbox you want to add Full Access permissions for.
- In the properties window, navigate to mailbox delegation
- Scroll down to you get to the Full Access From there, use the recipient picker (plus-sign) to add the on-premises mailbox you wish to grant permissions to:
- Click save.
How do I add permissions to an on-premises mailbox for an Office 365 recipient?
As mentioned earlier, you cannot use the EAC to add permissions for an Office 365 recipient. Instead, you must use the on-premises Exchange Management Shell. Don’t worry it’s quite simple!
|Add-MailboxPermission –Identity <On-Prem_mailbox_to_give_permissions_for> -User <O365_mailbox_to_give_permissions_to> -AccessRights FullAccess –AutoMapping $false|
|Add-MailboxPermission –Identity firstname.lastname@example.org –User email@example.com –AccessRights FullAccess –AutoMapping $false|
Unlike for permissions in the same environment, the AutoMapping feature is not supported. Hence why I specified the –AutoMapping $false parameter. I suspect the permissions to work without adding the parameter too!
What will my users see?
There is no difference in how Outlook displays an Office 365 mailbox over an on-premises mailbox you have access to. However, an on-premises user might get prompted for credentials when trying to access a mailbox in Office 365. This is because, in the back, the Outlook client must establish a connection with the Office 365 service first.
How that looks, depends on a number of things like the version of the Outlook client, whether you use Modern Authentication and whether or not they already have another Office 365 mailboxes in their Outlook profile.
Consider the following scenario: you are about to implement directory synchronization for Office 365. You have multiple Active Directory sites across several, geographically dispersed, locations all over the world. Unsurprisingly, some of these locations have better connectivity than others and you might not want AAD Connect to connect to Domain Controllers in locations with a slow or high latency connection at the risk of slowing down the entire process.
When Azure AD Connect connects to a new forest, it uses DNS to locate domain controllers it needs to connect to. Without additional configuration, it is very difficult to control or know exactly which Domain Controllers AAD Connect will connect to. I believe that within the domain it is installed in, AAD Connect will try and connect to Domain Controllers within the same site first –but I’m still waiting on getting that confirmed. Even if that is true, that would not necessarily be the case for remote forests as there is no way for AAD Connect to know which site in the remote forest is closest.
Once AAD Connect is installed, you will find that it is relatively easy to define a (static) list of Domain Controllers that AAD Connect should connect to.
- First, open up the Synchronization Service Manager on your AAD Connect server. This executable (miisclient.exe) is typically located in “C:\Program Files\Microsoft Azure AD Sync\UIShell”
- Navigate to Connectors and locate the connector, specific for your domain (forest). Note that the screenshot below only shows a single domain. If you are in a multi-forest environment and you might see multiple:
- Right-click the connector and choose Properties.
- In the properties window, go to Configure Directory Partitions and make sure to check the box next to Only use preferred domain controllers:
- In the Configure Preferred DCs window, add the domain controllers you want AAD Connect to interface with. You can order the domain controllers preference by moving them up/down the list.
- Click OK to confirm the changes.
That’s all there is to it. Now, Azure AD Connect will only talk to the Domain Controllers you have specified.
Today is a great day!
I know it’s been a while since I last posted here, but that’s just because I’ve been super busy with lots of things. Besides speaking at IT/Dev Connections and writing the Office 365 for IT Professionals ebook with Tony Redmond and Paul Cunningham, I have been working on some really exciting things at ENow! Amongst other cool new features, we recently developed new remote probes for our Exchange and Office 365 solutions. These probes allow you to monitor specific functionality such as the Autodiscover process or the ability to logon through AD FS from various locations other than your HQ or datacenter. I’m sure that this is something that larger organizations with multiple sites will appreciated!
This being said, I have other good news too! I am excited to share with you that Paul Robichaux, a long-time Exchange Server MVP will be joining the ranks at ENow as Vice President and CTO!
I’ve known Paul personally for a few years now, and I look forward to working with him at ENow. Paul is one of the people who inspired me to work in technology and more specifically in the area of Exchange. Even before I knew Paul personally, I was a big fan of him and his work. The many books and articles he authored have helped me through many of the endeavors in my early career –and they continue to do so today. Needless to say, his track record speaks for itself. And let’s not forget that he used to teach classes for the Microsoft Certified Solutions Master (MCM/MCSM) program as well!
Office 365 is very important to us. Back in 2012, ENow was the first to develop Mailscape 365, our best-in-class Office 365 monitoring and analytics solution. Since then, a lot of things have changed. We work hard to continuously improve our solution. Not only to meet the changing needs of our customers but also to evolve along with Office 365 –which changes faster than ever before. In order to align with the pace of change in Office 365, ENow moved to the Agile development process which allows us to respond more quickly to those changes and push out updates to our customers as quickly as possible. That Paul is joining our team reinforces ENow’s commitment to the future and is a herald of what more is to come!
Behind the curtains we are working on some really interesting things. Unfortunately, I cannot share too much about what that entails just yet. But trust me when I tell you it is BIG! Paul’s background in software development and his expertise in the area of Office 365 will play an important role in solidifying our position as a leading ISV in the Office 365 space as well as in the development of our future products and platforms.
Make sure to keep an eye out on the official ENow blog for future announcements. On my end, I’ll promise to update content on this website a little more often…!
It’s been a while since I last wrote an article… Although there’s no excuses, I have been pretty busy lately…
First of all, I’ve been ‘heads down’ preparing version 2 of the “Office 365 for Exchange Professionals” ebook.
As Microsoft recently announced, there have been a LOT of updates and those need to be reflected in the book too!
New items include information on the new hybrid configuration wizard, modern authentication, Azure AD Connect and so much more… As Tony mentioned on his blog, we plan on releasing “v2” at IT/DEV Connections in September. If you are attending IT/DEV Connection, Tony, Paul and I will be there too. Make sure to come and talk to us. We’d love to hear your feedback on the book.
This brings me to the conference itself. This year, I am lucky enough to be speaking there again. IT/DEV Connections is without a doubt one of my favorite tech conferences. It runs at a smaller scale than e.g. Ignite, but there’s a TON of great sessions, all led by even greater speakers! The fact that you aren’t overrun by ten thousands of other attendees allows you to interact with all the speakers. If not during the sessions, there are plenty of opportunities at the evening events or in hallway! You still have time to register, so if you are looking to attend a conference this ‘season’, IT/DEV Connections is what I would recommend. As usual, the conference is held in Las Vegas from September 14 – 17, in the beautiful Aria hotel.
I have two sessions this year. One about Identity Management and Authentication in the online Microsoft world. Although I still have a lot of work to do for my sessions (making sure I provide you with the latest information!), I can share with you that I will also be talking about Windows Hello and Microsoft Passport. This session is on Thursday at 8:30 AM.
The second session is somewhat different from what you’ve usually see me present about. On Wednesday at 11AM, I will be speaking about automation. The idea is not to be giving a theoretical session about how e.g. PowerShell DSC is supposed to work or what PowerShell is; other people are probably better suited for that! It won’t be a level 400 coding session either. I’m no developer and I’m also not a PowerShell guru! It’s rather a hands-on, real-world approach about how you can use all sorts of tools (mainly PowerShell though, but also e.g. Orchestrator) to automate simple and more complex tasks. The idea for this session grew from visiting customers all over the world and seeing how they automated service tasks, onboarding etc… By the end of the session you should have picked up some ideas about what can be useful to you and how to best approach and build it!
Later in September, I will be joining another fantastic line-up of speakers at the UK UC Day in Birmingham. This is the first time this one-day conference is held, but the organisation did not spare any efforts. A lot of speakers from IT/DEV Connections will be there and it’s good to see some speakers join us from the US too! This time, I will be speaking about hybrid deployments in all its glory. Single-forest, Multi-Forest, AAD Connect and many other things will be discussed. A high-paced session, but definitely for you if you are in a hybrid deployment, you are looking to configure a hybrid connection or you’re a consultant that deals a lot with hybrid!
ENow will be represented at both conferences as well! In the UK we are joined by the team of Essentials. Make sure to stop at our booth and have a conversation! We look forward to another great conference and an even greater Scheduled Maintenance party!
Looking forward to seeing you there!
Office 365 provides various authentication options, such as cloud-IDs, Password Hash Synchronization or federated identities. Leaving out the specifics on how each of these options work, all of them are configured per domain. Whenever trying to access services in Office 365, the user is required to authenticate using its User Principal Name. For sake of simplicity, the general advise it to configure the UPN to match the email address which makes it less confusing for them.