Recent Webcasts

Hiya folks, for those that don’t follow me on Twitter, I wanted to point out a few webcasts I’ve been involved with. Check ’em out!

 

Best Practices for Migrating PSTs and Email Archives to Office 365

pstarchivewebcasthttps://redmondmag.com/webcasts/2016/06/delljuly19.aspx

Office 365 Migrations and Beyond – Planning for Potential Risks

o365beyondwebcast
https://redmondmag.com/webcasts/2016/08/mimecast-sept8.aspx

Skype for Business Online Cloud PBX: Picking Good Numbers

Not your granddaddy’s SfBO

Late last year, Microsoft released a dial-in conferencing and PSTN add-on to the popular Office 365 suite. With these new features, I expect Skype for Business Online to attract serious interest. As a technical implementer, if you’re Office 365 focus has been limited to Exchange and SharePoint Online, you’ll want to be sure you’re positioned to support these new features before your competition beats you to it!

For an excellent, no-fluff introduction to the topic, I recommend you read fellow MVP Paul Robichaux’s article over on WindowsITPro: “Skype for Business: PSTN Calling

Selecting Pleasant Telephone Numbers

One of the first things you’ll want to do after you’ve got the necessary licensing situated is to assign phone numbers to your users. If you’re using the Admin Center, you’ll find this approach is documented here.

When using this screen to assign numbers to my business, I found that the numbers that were being presented weren’t very palatable.AdminCenterNumbers

Obviously this is a subjective assessment, though as an example, you’ll likely agree that numbers that end in ‘0000’ are generally more desirable and memorable than those that involve digits from all over your dial pad. Maybe there is some secret TelCo handshake which allows you to pick from great phone numbers, but alas, I don’t know it.😦

Perhaps more frustratingly, is the fact the portal limits you by showing only a few numbers at a time (per 10 minutes). Based on my business’ location in in Maryland, I wanted a 301 number, but am I supposed to look at 10 numbers every 10 minutes? I’ve not done this with a large tenant yet, so it is possible this UI scales with more licenses/users, but in my testing I couldn’t find a way around this issue.

The good news however, is that PowerShell once again comes to the rescue! Using the Skype for Business Online cmdlets, we are able to bypass the selection limits of the Admin Center and view up to 200 numbers, in a given city, at a time.

The approach is as follows:

  1. Download and install the SfBO PowerShell module.
  2. Establish a PowerShell remoting session.
  3. Figure out what region you want numbers for, and take note of the geocodes.
  4. Search the inventory, reserving 200 numbers for 10 minutes.
  5. If necessary, manually release the numbers and look at another region.
  6. If all else fails, wait 10+ minutes and re-try the above.

Search and Filter with PowerShell

Connect to SfBO

$credential = Get-Credential mike@contoso.com
$lyncSession = New-CsOnlineSession -Credential $credential
Import-PSSession $lyncSession

Search the inventory

$x = Search-CsOnlineTelephoneNumberInventory -InventoryType Subscriber -Region NOAM -Country US -Area MD -City SS -Quantity 200
Get-CsOnlineTelephoneNumberReservationsInformation

$x.Reservations.numbers.DisplayNumber

Use PowerShell filtering to find desirable number patterns

#Numbers with 00
$x.Reservations.numbers.DisplayNumber | ? {$_ -like '*00*'}

#Numbers ending in 0
$x.Reservations.numbers.DisplayNumber | ? {$_ -like '*0'}

#Numbers not containing 304
$x.Reservations.numbers.DisplayNumber | ? {$_ -notlike '*304*'}

#Numbers with 0 in the last group
$x.Reservations.numbers.DisplayNumber | ? {(($_ -split ' ' )[-1]) -like '*0*'}

PowerShell PSTN FilteringRelease the numbers and look at a different region (avoiding the 10 minute wait)

Clear-CsOnlineTelephoneNumberReservation -ReservationId $x.ReservationId -InventoryType subscriber
$x = Search-CsOnlineTelephoneNumberInventory -InventoryType Subscriber -Region NOAM -Country US -Area MD -City BE -Quantity 200

$x.Reservations.numbers.DisplayNumber

Select the numbers you like (Don’t forget to include the country code)

Select-CsOnlineTelephoneNumberInventory -ReservationId $x.ReservationId -TelephoneNumbers 13010000000, 13010000003, 13010000002 -Region NOAM -Country US -Area MD -City SS

NOTE: I haven’t worked out the code myself, but you may want to find phone numbers in consecutive blocks, so here is a topic that discusses how to do that.

Once you’ve got the numbers reserved, you can continue to use PowerShell to assign them to your licensed users, or you can go back to the Admin Center and assign them there.

Enabling/Disabling AAD Connect’s Automatic Upgrade Feature

Last week, Microsoft announced this quarter’s Azure Active Directory Connect (AADConnect) update. Version 1.1 (download) includes some big changes, including one that made me worry. AAD Connect now has an Automatic Upgrade feature! Given that this is the first version to include this concept, we won’t see how it works until next quarter, but I sure do hope they are careful.

Cautiously Optimistic

Over the past few years we’ve seen several DirSync/AADSync/AADConnect versions be revoked due to bugs, which means you could wake up one morning to some terrible sync catastrophe resulting from bad sync rules or who knows what. Case in point: THIS VERSION!!! You’ll see in the comments of the announcement I linked above, several people had problems with the upgrade to the 1.1 build and Microsoft quickly released a new version 4 days ago (1.1.110.0). Nevertheless, I believe such a sync-related catastrophe is unlikely. The greater risk is letting your sync software get too out of date, which is something I see more often than I don’t. In fact, Microsoft’s sync tools have been so reliable that many organizations are probably still running the same version deployed when they first migrated to Office 365 (Though they are possibly in an unsupported scenario).AADConnect Auto Upgrade

New installations of AAD Connect which use the default “Express” option will enable Automatic Upgrade for you.

I did an in-place upgrade from a prior version to 1.1.110.0 and it left Auto Upgrade in a “Suspended” state, which is not to be confused with “Disabled”. I’m not sure why we need two “not-enabled” states, but it is described in the documentation as a system-only value. It will be easier to test this when there is actually a version beyond 1.1.110.0 to upgrade to.

I think it is interesting that this product doesn’t hook into the operating system’s Automatic Update feature, as most Microsoft products do. My theory is that the Azure AD team is currently moving faster than the requisite internal coordination allows.AADConnect Auto Upgrade 2

Disabling Automatic Upgrade

I would discourage anyone from turning off Automatic Upgrade without good cause (FUD does not count), though there may be some good causes.

For example, while Microsoft discourages us from modifying the default synchronization rules (The product has pop-ups warning you about this too), it is supported. The caveat is that upgrades sometimes redefine the default rules, overwriting your changes. In this case, the guidance states:

If you need to change the scope or the join setting in an “out-of-box” synchronization rule, document this and reapply the change after upgrading to a newer version of Azure AD Connect

As you have probably guessed, this scenario presents a problem with the idea of an automatic upgrade. Luckily for this, and perhaps other reasons, you can disable Automatic Upgrade. There are two new cmdlets for controlling the behavior:

  • Get-ADSyncAutoUpgrade
  • Set-ADSyncAutoUpgrade

Get-ADSyncAutoUpgrade will show you the current state, which will be Enabled, Disabled or Suspended. You can also see this by looking the AAD Connect summary page (second image above).

To disable AAD Connect’s Automatic Upgrade feature, type:

Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled

Enabling Automatic Upgrade

If you need to enable the feature, type:

Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled

Discussing the “Preferred Architecture” on the Exchange Server Pro Podcast

Last month, I was invited back to the Exchange Server Pro Podcast to discuss the Exchange Server Preferred Architecture with Paul Cunningham, a fellow Microsoft MVP.  During the discussion, we covered the definition of the term as well as how to balance it against the realities of your Exchange Environment.false-true

If you’ve got 30 minutes , check it out!

Podcast Episode 8: The Preferred Architecture with Mike Crowley

Presenting at the Rockville, MD Office 365 User Group

If you’ve been here once or twice, you’ll know I like talking about Office 365 and Azure AD Directory Synchronization! If you like this topic too, or are preparing for an upcoming migration, and are in the Washington DC Metro Area next Thursday (Nov. 12), please come to the Rockville-based Office 365 user group meeting.

Rockville Office 365 User Group

During this event, I’ll be covering sync across the following agenda:

  1. Introduction to concepts
  2. Environment Readiness
  3. Tools
  4. Operations and Troubleshooting
  5. Q&A

Attendance is free but please RSVP here:

Guest Appearance on the Exchange Server Pro Podcast

A few days back, I had an opportunity to chat with Paul Cunningham on his Exchange Server Pro Podcast. Paul is a world-renowned Exchange Server expert and Microsoft MVP, based out of Australia. We discussed ways to protect Exchange from attack, along with other security concepts while responding to the recent news around “OWA Vulnerabilities”.false-true

If you’ve got 30 minutes , check it out!

Podcast Episode 4: Securing Outlook Web App (OWA) and Exchange Server with Mike Crowley

Azure AD Connect PowerShell Cmdlets

documentation

Click the image!

Microsoft TechNet used to be one of the best documentation libraries in the industry. Sadly, it still is; so what’s that tell you about the industry today?

Office 365 and Azure are truly great cloud services, but the frequency of updates and new releases are a challenge for Microsoft’s own sales team to keep up with, let alone us in the field, trying to work with the stuff. As made abundantly clear by their actions (e.g. killing tech conferences, technical writer layoffs, shuttering TechNet subscriptions, and abandoning the MCM program), Microsoft doesn’t really see “the problem”.

When Microsoft shipped DirSync and then later Azure AD Sync, documentation of the associated PowerShell modules became increasingly sparse, though some cmdlets did have a help synopsis, as I discussed last year. Azure AD Connect, the current version of Office 365 and Azure Active Directory synchronization technology, has 69 cmdlets in the “ADSync” module.

Wanna take a guess at how many of these have an associated help topic? Don’t forget, this product was launched earlier this summer and is now on it’s second public release.

Zero

(Pause for effect)

So, I have listed all 69 cmdlets here, with a brief note about what I’ve found so far. Right now, most are empty, but I will fill them in as I discover their purpose and/or have more time. If you’ve got a question about one I don’t have detailed, leave a comment and I’ll try to prioritize some research for you. I haven’t checked with the Azure AD team on this, so please take my findings with a grain of salt, and hope for real support documentation to arrive soon!

NOTE: This refers to the “ADSync” module that ships with Azure AD Connect 1.0.8667.0.

Cmdlet

Add-ADSyncAADServiceAccount

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncAttributeFlowMapping

My
Comments

Maps a source to target
attribute.

Export one of the rules
from the editor to see this and other samples.

Sample
Usage

Add-ADSyncAttributeFlowMapping  `

-SynchronizationRule $syncRule[0] `

-Source @(‘mailNickname’,‘sAMAccountName’)
`

-Destination ‘cloudFiltered’
`

-FlowType ‘Expression’
`

-ValueMergeType ‘Update’ `

-Expression ‘IIF(IsPresent([isCriticalSystemObject])
|| IsPresent([sAMAccountName]) = False || [sAMAccountName] =
“SUPPORT_388945a0” || Left([mailNickname], 14) =
“SystemMailbox{” || Left([sAMAccountName], 4) = “AAD_” ||
(Left([mailNickname], 4) = “CAS_” && (InStr([mailNickname],
“}”) > 0)) || (Left([sAMAccountName], 4) = “CAS_”
&& (InStr([sAMAccountName], “}”) > 0)) ||
Left([sAMAccountName], 5) = “MSOL_” ||
CBool(IIF(IsPresent([msExchRecipientTypeDetails]),BitAnd([msExchRecipientTypeDetails],&H21C07000)
> 0,NULL)) ||
CBool(InStr(DNComponent(CRef([dn]),1),”\\0ACNF:”)>0), True,
NULL)’
`

-OutVariable syncRule

Cmdlet

Add-ADSyncConnector

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncConnectorAnchorConstructionSettings

My
Comments

Sample
Usage

 

 

Cmdlet

Add-ADSyncConnectorAttributeInclusion

My
Comments

Sample
Usage

 

 

Cmdlet

Add-ADSyncConnectorHierarchyProvisioningMapping

My
Comments

Sample
Usage

 

 

Cmdlet

Add-ADSyncConnectorObjectInclusion

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncGlobalSettingsParameter

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncJoinConditionGroup

My
Comments

Used in the construction of
sync rules.

Export one of the rules
from the editor to see this and other samples.

Sample
Usage

Add-ADSyncJoinConditionGroup  `

-SynchronizationRule $syncRule[0] `

-JoinConditions @($condition0[0]) `

-OutVariable syncRule

Cmdlet

Add-ADSyncRule

My
Comments

Export one of the rules
from the editor to see this and other

samples.

Sample
Usage

Add-ADSyncRule  `

-SynchronizationRule $syncRule[0]

Cmdlet

Add-ADSyncRunProfile

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncRunStep

My
Comments

Sample
Usage

 

Cmdlet

Add-ADSyncScopeConditionGroup

My
Comments

Used in the construction of
sync rules.

Export one of the rules
from the editor to see this and other samples.

Sample
Usage

Add-ADSyncScopeConditionGroup  `

-SynchronizationRule $syncRule[0] `

-ScopeConditions @($condition0[0],$condition1[0],$condition2[0]) `

-OutVariable syncRule

Cmdlet

Disable-ADSyncConnectorPartition

My
Comments

Sample
Usage

 

Cmdlet

Disable-ADSyncConnectorPartitionHierarchy

My
Comments

Sample
Usage

 

Cmdlet

Disable-ADSyncExportDeletionThreshold

My
Comments

 Disables the accidental deletion safety feature.

More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/

Sample
Usage

 Disable-ADSyncExportDeletionThreshold

Cmdlet

Enable-ADSyncConnectorPartition

My
Comments

Sample
Usage

 

Cmdlet

Enable-ADSyncConnectorPartitionHierarchy

My
Comments

Sample
Usage

 

Cmdlet

Enable-ADSyncExportDeletionThreshold

My
Comments

 Enables the accidental deletion safety feature. To verify, run Get-MsolDirSyncConfiguration.More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-prevent-accidental-deletes/

Sample
Usage

Enable-ADSyncExportDeletionThreshold

Cmdlet

Get-ADSyncAADPasswordResetConfiguration

My
Comments

I believe this is used to
report on password write-back.

Sample
Usage

Get-ADSyncAADPasswordResetConfiguration -Connector ‘demo1923.onmicrosoft.com – AAD’

 

Cmdlet

Get-ADSyncAADPasswordSyncConfiguration

My
Comments

Indicates whether or not
password hash sync is enabled (SYNC)

Sample
Usage

Get-ADSyncAADPasswordSyncConfiguration -SourceConnector ‘laptop.lab’

Cmdlet

Get-ADSyncConnector

My
Comments

Gets the management agents
(connectors) used by the sync service.

Sample
Usage

Get-ADSyncConnector

Cmdlet

Get-ADSyncConnectorHierarchyProvisioningDNComponent

My
Comments

Couldn’t get it to work

Sample
Usage

x =
Get-ADSyncConnector -Name
‘laptop.lab’

Get-ADSyncConnectorHierarchyProvisioningDNComponent -ShowHidden -Connector $x

Cmdlet

Get-ADSyncConnectorHierarchyProvisioningMapping

My
Comments

Couldn’t get it to work

Sample
Usage

$x =
Get-ADSyncConnector -Name
‘laptop.lab’

Get-ADSyncConnectorHierarchyProvisioningMapping -Connector $x

Cmdlet

Get-ADSyncConnectorHierarchyProvisioningObjectClass

My
Comments

Didn’t test: I presume it
lists the objects to be synced (e.g. people, contacts, etc)

Sample
Usage

 

 

Cmdlet

Get-ADSyncConnectorParameter

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncConnectorPartition

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncConnectorPartitionHierarchy

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncConnectorTypes

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncGlobalSettings

My
Comments

Displays Global
Configuration Settings.

Sample
Usage

  (Get-ADSyncGlobalSettings).Parameters
| Where name -eq Microsoft.SynchronizationOption.AnchorAttribute

Cmdlet

Get-ADSyncGlobalSettingsParameter

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncRule

My
Comments

 Lists the sync rules

Sample
Usage

 

Cmdlet

Get-ADSyncRunProfile

My
Comments

Sample
Usage

 

Cmdlet

Get-ADSyncSchema

My
Comments

Sample
Usage

 

 

Cmdlet

Get-ADSyncServerConfiguration

My
Comments

Sample
Usage

 

Cmdlet

New-ADSyncConnector

My
Comments

Sample
Usage

 

Cmdlet

New-ADSyncJoinCondition

My
Comments

Sample
Usage

 

Cmdlet

New-ADSyncRule

My
Comments

Export one of the rules
from the editor to see this and other samples.

Sample
Usage

New-ADSyncRule  `

-Name ‘In from
AD – User Join’
`

-Identifier ‘c2db05cb-39bd-4e17-a19a-26718c692e48’
`

-Description
`

-Direction ‘Inbound’
`

-Precedence 100
`

-PrecedenceAfter ‘00000000-0000-0000-0000-000000000000’ `

-PrecedenceBefore ‘00000000-0000-0000-0000-000000000000’ `

-SourceObjectType ‘user’ `

-TargetObjectType ‘person’ `

-Connector ‘43617e64-d544-4426-9354-e7d7508915b1’
`

-LinkType ‘Provision’
`

-SoftDeleteExpiryInterval 0 `

-ImmutableTag ‘Microsoft.InfromADUserJoin.003’ `

-OutVariable syncRule

Cmdlet

New-ADSyncRunProfile

My
Comments

Sample
Usage

 

Cmdlet

New-ADSyncScopeCondition

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncAADPasswordResetConfiguration

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncAADPasswordSyncConfiguration

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncAADServiceAccount

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncAttributeFlowMapping

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncConnector

My
Comments

 Removes one of your Management Agents (Connectors)

Sample
Usage

 

Cmdlet

Remove-ADSyncConnectorAnchorConstructionSettings

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncConnectorAttributeInclusion

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncConnectorHierarchyProvisioningMapping

My
Comments

Sample
Usage

 

 

Cmdlet

Remove-ADSyncConnectorObjectInclusion

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncGlobalSettingsParameter

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncJoinConditionGroup

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncRule

My
Comments

 Removes a sync rule.

Sample
Usage

 

Cmdlet

Remove-ADSyncRunProfile

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncRunStep

My
Comments

Sample
Usage

 

Cmdlet

Remove-ADSyncScopeConditionGroup

My
Comments

Sample
Usage

 

Cmdlet

Search-ADSyncDirectoryObjects

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncAADCompanyFeature

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncAADPasswordResetConfiguration

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncAADPasswordSyncConfiguration

My
Comments

 See details here:  http://blogs.technet.com/b/undocumentedfeatures/archive/2015/11/18/reset-aadsync-or-aadconnect-password-hash-sync-configuration.aspx

Sample
Usage

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Cmdlet

Set-ADSyncAADPasswordSyncState

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncConnectorParameter

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncGlobalSettings

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncSchema

My
Comments

Sample
Usage

 

Cmdlet

Set-ADSyncServerConfiguration

My
Comments

Sample
Usage

 

Cmdlet

Set-MIISADMAConfiguration

My
Comments

Sample
Usage

 

Cmdlet

Test-AdSyncUserHasPermissions

My
Comments

Sample
Usage

 

Cmdlet

Update-ADSyncConnectorPartition

My
Comments

Sample
Usage

 

Cmdlet

Update-ADSyncConnectorSchema

My
Comments

Sample
Usage

 

Cmdlet

Update-ADSyncDRSCertificates

My
Comments

Sample
Usage