Office 365 MVP

January 1st, 2014 2 comments

Wow! I have just received a great email from the Microsoft MVP Award team, what a lovely way to start a new year..
I’m honored to receive the Office 365 MVP award :-)

Dear Brian Nohr,

Congratulations! We are pleased to present you with the 2014 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Office365 technical communities during the past year.

A big thanks to my current MVP Lead William Jansen.

Microsoft MVPs are not Microsoft employees, rather independent technology enthusiasts who are active in communities on and offline. We are experts and professionals across diverse subjects that all share a common use of Microsoft technologies to solve everyday real-world problems.

More about the MVP program here: http://mvp.support.microsoft.com/en-us/overview.aspx

Categories: Blog, Office 365 Tags:

OWA Redirection to Office 365 for Exchange 2013 CU2 Hybrid

October 22nd, 2013 No comments

I recently installed CU2 (Cumulative Update 2) for Exchange Server 2013 in my test environment where I have an Exchange hybrid installation and after a day or two I notices that Outlook Web App redirection no longer works..?

Normally when you have an Exchange Online mailbox that connects to the on-premises Exchange Server and gets authenticated it will be redirected to http://outlook.com/owa/YourDomainName.com

Now after I had installed the CU2 update it does not seems to work. Instead, I do receive the following error message

:-( Something went wrong.
A problem occurred while you were trying to use your mailbox.

Microsoft has stated that it is a known issue that will be addressed in the next update for Exchange Server 2013 and until then, they suggest that you use this workaround for this issue

To work around this issue, users can go directly to http://outlook.com/owa/<DomainName>.com in their web browsers to access Outlook Web App.

I am quite sure that it can be done in a smoother way :-) So I started to dig into the problem and found a better way (in my opinion).
You can change the OWA 500 error page to display a more user-friendly error message!

  • Go to your CAS server(s) and find the OWA 500 error page, which is located at
    %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\errorFE.aspx
  • Make a copy/backup of errorFE.aspx
  • Open errorFE.aspx in notepad (or your preferred edit-application) and find errorMessageContainer (located on line 70)
  • After class=”errorMessageContainer”> delete these 3 lines

    <div><% RenderErrorHeader(); %></div>
    <div><% RenderErrorSubHeader(); %></div>
    <div><% RenderErrorDetails(); %></div>

  • Add following lines

    <div>
    <% if (Request.QueryString["msg"] == “861904327″) { %>
    <div>Oops!</div>
    <div>Your mailbox is located in Office 365</div>
    <div>Please login to your Office 365 mailbox:<br >
    <a href=”https://outlook.com/owa/YourDomainName.com”>https://outlook.com/owa/YourDomainName.com</a></div>
    <% }
    else { %>
    <div><% RenderErrorHeader(); %></div>
    <div><% RenderErrorSubHeader(); %></div>
    <div><% RenderErrorDetails(); %></div>

  • Save the errorFE.aspx file and restart the IIS on the Exchange CAS server(s)

Now the users will get a error message saying

Oops!
Your mailbox are located in Office 365
Please login to your Office 365 mailbox:
https://outlook.com/owa/YourDomainName.com

Manage Exchange without Exchange permissions

October 11th, 2013 No comments

As you may already know the Exchange 2010 servers and Exchange 2013 servers uses a permissions model called Role Based Access Control (RBAC). The key element in RBAC is that you easily can control the level of the permissions assigned to your users and administrators.

However, if your users (administrators) are member of “Domain Admins” it does not matter if they have Exchange permissions or not. You may be thinking, “Nay I get that, because since the users are member of “Domain Admins” they can control which security groups they would be member of..”
Well yes, that is indeed correct – but let us just forget that for a moment and try to test it anyway :-)

Create a new user in AD and make that user member of “Domain Admins” (do not give this user any Exchange permissions!) Logon to your Exchange server with this user and open Exchange Management Console.

The Exchange Management Console will now connect to the Exchange server and lookup the user information and permissions, and you will see either a very limited Exchange Management Console or this error:

Processing data from remote server failed with the following error message: The user “domain.local/Users/USERNAME” isn’t assigned to any management roles.

If you open up the Exchange Management Shell and run this command Get-Mailbox, you will only get your own mailbox! You will be able to run different commands like Set-Mailbox but when you try to specify a user that you know exist on the Exchange server, you will get this error:

The operation couldn’t be performed because object ‘testuser’ couldn’t be found on ‘domain.local’.

Okay.. So it seems like you do not have any permissions to manage Exchange other than your own mailbox!
Now try to open an elevated Windows PowerShell (Run as Administrator) and enter:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

Run the Get-Mailbox cmdlet and you will get a list of all mailboxes within your Exchange – is that dangerous? No of cause not, BUT the fact that you can do a Set-Mailbox on one of the users or even a Remove-Mailbox might be dangerous..?

I know that you can the exact same thing in Active Directory, but somehow I think that people are more carefully in Active Directory or I hope that they know what they are doing :-) and it is not that easy to create a new sendconnector in AD…

As far as I can understand on Microsoft, it is not supported to run Exchange cmdlets in Windows PowerShell, you have to use the Exchange Management Shell – now I know why!

There might be an opportunity to solve this “problem” by the Exchange Split Permissions – but I have not tested that yet.
I will inform you (on this blog) when I have a result.

Exchange Online Protection and spam notifications

October 11th, 2013 No comments

The service, called Exchange Online Protection (EOP), provides spam and malware filtering in the cloud for only $1 per user per month, but if you already have an Office 365 subscription, it is included!

In June Microsoft released the feature that allow us to create custom spam and malware filter policies, and apply them to specific domains, groups, or users.

Since the release of Exchange Online Protection, the spam quarantine has been supported, but for some reasons it was only the administrator who was allowed to release spam messages from the quarantine within the Exchange admin center.
With the latest update within Office 365 you can now configure Exchange Online Protection so that users can managed the spam-quarantined messages themself. Nevertheless this is NOT enable by default…

So in order to enable it, please follow this guide.

Go to your Office 365 portal and select “Admin” -> “Exchange” in the top right corner.
Now hit the “protection” in the left menu and “content filter” in the top menu.
Scroll down in the menu to the left and click at “Configure end-user spam notifications…”

Enable spam notification

A new window will open, and as you can see in the screenshot, you now have the option to enable the spam notification. Remember to select a frequency (from 1 to 15 days) and whether the end-user spam notifications should be a localized message!

enduser notification

Microsoft is working on even more spam notification improvements, and by the end of the first quarter 2014 we will see following at Office 365:

  • Enabling admins to configure spam notifications independently from spam detection policies.
  • More granular control for spam notification settings beyond the current organization and domain scope.
  • Enabling users to access quarantined messages on demand through a web portal.
  • Admin configuration for allowing users to submit spam examples.
Categories: Office 365 Tags: ,

Customizing the ADFS login page

September 27th, 2013 No comments

By default, the ADFS forms based login page is boring, why not spend a a few minutes to make it look better or even corporate friendly?

You can etc. add a nice logo, change the page title, change the “domain\username” example or even let Office 365 “enter the email address” for the users… Just remember to make these changes to all your ADFS Proxy servers and to back up the files, before you start to change them!

How to add a logo:
The logo file should be 600 x 100 px

  • Copy the logo as a logo.jpg or logo.png file into C:\inetpub\adfs\ls\
  • Edit web.config in notepad (will be found in C:\inetpub\adfs\ls\)
  • Find the following text:

<!–
<add key=”logo” value=”logo.jpg” />
–>

  • The above shows that the logo file is a comment out and therefore not loaded. In order to uncomment, please remove the “<!–” and “–>” from the section.
  • Change filename if you use a logo.png file
  • Save and close the file

How to change the instruction text

  • Go to C:\inetpub\adfs\ls\App_GlobalResources
  • Edit CommonResources.da.resx in notepad (replace the “en” with your localization code if not English)
  • Find the following text:

<data name=”FormsSignInHeader” xml:space=”preserve”>
<value>Type your user name and password.</value>
</data>

  • Change the text “Type your user name and password” to whatever you want
  • Save and close the file

How to change the page title

  • Go to C:\inetpub\adfs\ls\App_GlobalResources
  • Edit CommonResources.en.resx in notepad (replace the “en” with your localization code if not English)
  • Find the following text:

<data name=”FormsSignInPageTitle” xml:space=”preserve”>
<value>Sign In</value>
</data>

  • Change the text “Sign In” to another title
  • Save and close the file

How to change the “domain\username” example

  • Go to C:\inetpub\adfs\ls\App_GlobalResources
  • Edit CommonResources.en.resx in notepad (replace the “en” with your localization code if not English)
  • Find the following text:

<data name=”UsernameExample” xml:space=”preserve”>
<value>Example: Domain\Username</value>
</data>

  • Change the text “Example: Domain\Username” to etc. “email@domain.com
  • Save and close the file

How to get the email address from the Office 365 login page

  • Go to C:\inetpub\adfs\ls
  • Edit FormsSignIn.aspx.cs in notepad
  • Add these lines in the start of the file:

using System.Web;
using System.Collections.Specialized;

  • Find the Page_Load() object and add these lines:

string url = Context.Request.Url.AbsoluteUri;
NameValueCollection parameters = HttpUtility.ParseQueryString(url);
string userIdentity = parameters["username"];
if (!String.IsNullOrEmpty(userIdentity)) {
UsernameTextBox.Text = userIdentity;
PasswordTextBox.Focus();
}

  • Save and close the file

How to change the hostname above the login box

  • Go to C:\inetpub\adfs\ls\MasterPages
  • Edit MasterPage.master.cs in notepad
  • Find the following text:

{
PageTitleLabel.Text = Page.Title;
STSLabel.Text = FriendlyName;
}

  • Change the text to whatever you want.
    The text must be entered in quotes
    STSLabel.Text = “SSO for Company”;
  • Save and close the file
Categories: Office 365 Tags: ,

Multi Factor Authentication for Office 365

September 25th, 2013 No comments

Microsoft has implemented multi-factor authentication in Office 365.
At this moment, it can only be activated for administrators (which is free), but in the future it will also be possible for regular users (for a fee).

If you are going to the online portal, you will see the opportunity to enable multi-factor authentication – pretty simple

EnableMFA

Afterwards just select which users, that you will enable multi-factor authentication for and click enable

UsersMFA

Next time the user login to the Office 365 portal, they will be asked to configure their multi-factor authentication

ConfigureMFA

During the configuration, they must select which kind of authentication they will use. They can choose between mobile phone, office phone or a mobile app. If they select mobile app, they must download and install the Multi-Factor Authentication app from their devices app marketplace

MFAform

When the configuration are done, the user will have to use multi-factor authentication each time the access OWA or the Office 365 portal.

If you go to https://account.activedirectory.windowsazure.com, you can set up some additional security vertification

MFAad

Manually configuring Outlook for Office 365 or Exchange 2013

May 10th, 2013 No comments

It can be a bit difficult to configuring an Outlook profile for Office 365 wave 15 or Exchange 2013, if the autodiscover points to your on-premise Exchange environment or the old Exchange environment, since the Outlook clients now connect to ExchangeGUID@domain.com and not by RPC to the Client Access server, as is Exchange 2010.

So in order to configure your Outlook profile, you must know (look up) the ExchangeGUID, primary SMTP address and UPN. This can be done by using PowerShell against Exchange Online (or Exchange 2013). You’ll find the information, if you run this command:

Get-Mailbox USERNAME | fl Name, ExchangeGUID, PrimarySMTPAddress, UserPrincipalName

Now that you have the necessary user information, you can go ahead and configure an Outlook profile manually:

Open Outlook and select “Manual setup or additional server types” -> “Next”

Enter your “Exchange GUID”@YOURDOMAIN.COM in the Server field and your “UPN” in the User Name field

Click “More Settings” and choose the “Security” tab

Remove the checkmark from “Encrypt data between Microsoft Outlook and Microsoft Exchange” and select “Anonymous Authentication” in “Logon network security”

Go to the “Connection” tab and put a checkmark in “Connect to Microsoft Exchange using HTTP”

For Office 365 accounts:
Click at the “Microsoft Exchange Proxy Settings…” button, and enter “outlook.office365.com” in the “Use this URL to connect to my proxy server for Exchange” field, put a checkmark in “Only connect to proxy servers that have this principal name in their certificate” and enter “msstd:outlook.com”, put a checkmark in “On fast networks, connect using HTTP first, then connect using TCP/IP” and set proxy authentication to “Basic Authentication”.

For Exchange 2013 accounts:
Click at the “Microsoft Exchange Proxy Settings…” button, and enter your webmail url in the “Use this URL to connect to my proxy server for Exchange” field, put a checkmark in “On fast networks, connect using HTTP first, then connect using TCP/IP” and set proxy authentication to “Basic Authentication”.

Click “OK” -> “OK” to get back to the “Server settings” page and then click “Check name”.

Enter the UPN and password of the user.

The names will be resolved and your Outlook profile is now configured with success.

Lync 2013 for iPad, iPhone and Windows Phone are released

March 13th, 2013 No comments

Microsoft has released the new Lync client for iPad, iPhone and Windows Phone.

The new Lync client will add some much-requested features to both platforms, including VoIP and video calls, as well as an iPad-only desktop/application share viewing option, to make it simpler to understand what you’re talking about.

Download Lync 2013 for iPad and iPhone in App Store and for Windows Phone in the Windows Phone Store.

Categories: Lync Tags: , , ,

ExchangeroleAssignmentPresentation is not supported by MockEngine

March 12th, 2013 No comments

Recently when I tried to add my new Office 365 (wave 15) tenant to the Exchange Management Console (Exchange 2010 SP2) i ran into an error:

The following error occurred when getting management role assignment information for ‘server.prod.outlook.com/Microsoft Exchange Hosted Organizations/TenantName.onmicrosoft.com/globaladmin’: Microsoft.Exchange.Data.Directory.Management.ExchangeroleAssignmentPresentation is not supported by MockEngine!

The error message isn’t informative, but the solution are very simpel!
In order to add the Office 365 (wave 15) tenant to a Exchange 2010 Management Console, you’ll need to apply Exchange 2010 SP3.

Update ADFS certificates for Office 365

March 11th, 2013 No comments

If your certificate for your ADFS environment is about to expire, you will receive this warning in the Office 365 admin portal.

O365 Certificate Expired

In order to get rid of this, and to maintain a functional ADFS environment you need to update your ADFS certificate. If you follow these steps, you should not run into problems:

Prerequisites

  • Get the new certificate with private key in a .pfx format
    • Make sure the certificate minimum key size is 2048 bits
  • If TMG/UAG is used, install the certificate on ALL array members

Step 1 – Install the new certificate on ALL your ADFS server’s in the farm (also proxy servers)

  1. Open a PowerShell console or command prompt with elevated rights and run this command
  2. Certutil –f –p “CertPassword” –ImportPFX “CertPath\CertName”

Step 2 - Give the ADFS service account permissions to access the private key of the new certificate

  1. Open the local computer certificate store, select the certificate that was just imported
  2. Right-click at the certificate -> All Tasks -> Manage Private Keys
  3. Add the ADFS service account, and give at least read permissions to the account

Step 3 - Bind the new certificate to the ADFS website by using IIS Manager

  1. Open the Internet Information Services (IIS) Manager snap-in
  2. Right-click Default Web Site, and then select Edit Bindings
  3. Select HTTPS, and then click Edit
  4. Select the correct certificate under the SSL certificate heading
  5. Click OK, and then click Close
  6. Do an IISRESET from either PowerShell console or a command prompt

Step 4 – Configure the ADFS Server service to use the new certificate

  1. Open AD FS 2.0 Management
  2. Browse to AD FS 2.0\Service\Certificates
  3. Right-click Certificates, and then select Set Service Communications Certificate
  4. Select the new certificate from the certificate selection UI
  5. Click OK

If you are trying to add a new “Token-signing Certificate or Token Decryption Certificate” you will properly get a warning.

Certificate warning
This is because “AutoCertificateRollover” is set to TRUE

Step 5 – Bypass the above certificate warning

  1. Open a PowerShell console with elevated rights and run the following commands
  2. Add-PSSnapin Microsoft.Adfs.PowerShell
  3. Get-ADFSProperties | Select AutoCertificateRollover | ft -Wrap -Auto
  4. Update-ADFSCertificate
  5. In order to configure automatic rollover you can run this command
    Set-ADFSProperties -AutoCertificateRollover $false

Step 6 – Update your Office 365 tenant to use the new certificate

  1. Go to your internally ADFS server and open a PowerShell console with elevated rights and run the following commands
  2. $cred = Get-Credential
  3. Connect-MsolService -Credential $cred
  4. Get-MsolFederationProperty -DomainName yourdomain.com
  5. Update-MsolFederatedDomain -DomainName yourdomain.com
    • Use the –SupportMultipleDomain switch to support multiple domains

Now the warning at your Office 365 tenant should be gone!