AAD Connect 1.3.21.0 fixes two vulnerabilities

Wednesday, May 15, 2019

AAD Connect version 1.3.21.0 was released today, which fixes an elevation of privilege vulnerability found in version 1.3.20.0. This latest build is a pure security release -- it does not include any new features.
Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two powershell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information see security update.
To exploit this vulnerability, an attacker would need to authenticate to the Azure AD Connect server. These cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server. This security update address the issue by disabling these cmdlets.

It is recommended to download and install AAD Connect 1.3.21.0 ASAP, rather than wait for the auto upgrade process to run which can take several days or may be disabled in your environment.

Read more ...

Join us for a Free Webinar: Top 5 Hybrid Considerations, May 16 @ 10:00 AM PDT

Tuesday, May 14, 2019

Please join me and fellow MVP Jaap Wesselius for a free webinar where we discuss the Top 5 Exchange Hybrid Considerations. This webinar is hosted by my friends at Enow Software.

The challenge in managing an Exchange / Hybrid environment really lies in all the complexities. Jaap and I will cover the "Top 5 Exchange Hybrid" considerations, laying out all your options and the best plan given various organizational needs and goals.

Whether your organization is thinking about running an Exchange hybrid environment or already is,  you don't want to miss the Top 5 considerations. We will touch on:

  • Identities  
  • Synchronization
  • Authentication
  • Can't give away everything, tune in for more!

Tune in on May 16 at 10:00 AM PDT for best practices from the experts. Doing so could help your organization avoid an overly complicated environment, costly outages, and/or a poor end user experience.

See you there!

Read more ...

HCW Organization Configuration Transfer breaks Outlook connectivity to Office 365

Thursday, May 2, 2019
5/16/2019 Update -- The latest version of the HCW (version 16.0.3054.9 ) no longer syncs the OAuth2ClientProfileEnabled property, which caused the issue. Thanks to the Exchange product group for fixing this so quickly.
Recent versions of the Office 365 Hybrid Configuration Wizard (HCW) offer a feature called Organization Configuration Transfer, which is documented here. Organization Configuration Transfer (OCT) copies the organization policy objects from on-premises to Exchange Online (EXO), and updates values in EXO with the values from on-premises.

OCT is an option when running the HCW, not a requirement. It is designed to reduce the number of policies and objects that need to be configured in EXO by copying them from on-prem. Admins can also occasionally re-transfer settings using OCT in order to update EXO with new or updated on-prem policies and configurations.

OCT was updated to OCT-V2 on November 2018 to include several additional objects that were not previously synced, including the Organization Config object. This poses a problem if your on-prem environment is not configured for hybrid modern authentication because it will turn off access to EXO from Outlook and Skype for Business. This happens when the OCT overwrites the OAuth2ClientProfileEnabled property using Set-OrganizationConfiguration. On-prem environments without hybrid modern auth have this property set to false, where online it is always true (unless you want to deny modern auth).

Review the objects that OCT will transfer

The OCT will update the OAuth2ClientProfileEnabled property to FALSE

Turning the OAuth2ClientProfileEnabled property to false disables modern authentication for clients like Outlook and Skype for Business, and users will be continuously prompted for authentication and will be unable to connect to Exchange Online. Hilarity does not ensue.

This happened in my own environment. I discovered using Admin Audit Logging that the OAuth2ClientProfileEnabled property in the Organization Config was set to false the Friday before the problem started on Sunday morning. That date/time corresponded to the HCW logs. I had re-run the HCW and the Org Transfer Friday afternoon, which set the property to false.

Fiddler showed the same error described in the Auth_URI Failures section of the HMA article (https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/):

HTTP/1.1 401 Unauthorized
Cache-Control: private
Server: Microsoft-IIS/10.0
request-id: 3e5472dd-320e-4378-85e1-e22f00b53d38
X-CalculatedBETarget: dm6pr04mb6185.namprd04.prod.outlook.com
X-RUM-Validated: 1
X-UserType: Business
x-ms-diagnostics: 4000000;reason="Flighting is not enabled for domain 'cloud@expta.com'.";error_category="oauth_not_available"
X-DiagInfo: DM6PR04MB6185
X-BEServer: DM6PR04MB6185
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: BYAPR02CA0010
WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm=""
Date: Mon, 29 Apr 2019 22:57:42 GMT
Content-Length: 0

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this enabled.

To easily check if this is affecting your Exchange Online environment run the following cmdlet in EXO PowerShell:
(Get-OrganizationConfig).OAuth2ClientProfileEnabled
Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this value set to True. If it isn't, run the following cmdlet:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Note that it takes up to 30 minutes before the change becomes effective.

I've been working with the product team to remove this property transfer from OCT, since no one can think for a good reason for this property to sync in the first place. In the meantime, if you use OCT in the HCW you should remove the checkbox for Organization Config on the right-hand side.

Read more ...

Don't miss Comms vNext 2019!

Friday, April 26, 2019
For those of you who were fortunate enough to attend the MEC conferences, you understand what it's like to be a part of a wonderful blend of community and awesome technical content.

If you work with Teams or Skype for Business that experience is happening again with the Comms vNext conference in Denver, CO June 5-6th 2019.


This two-day conference promises to be a spectacular event with 36 sessions devoted to Teams and Skype for Business. Sessions will cover voice and voicemail, end-user adoption, development and much more. And all sessions will be led by the superheroes of the industry including 9 Microsoft product group members, 18 MVPs and MCMs from around the world. The keynote will be held on Wednesday, June 5th, by Heidi Gloudemans.

In my view, the most valuable part of a conference like this is the opportunity to develop business relationships with the speakers and attendees. Folks who work with these technologies every day, just like you. With a limit of only 300 attendees, this conference promises to bring everyone together in a way that can't be matched in other huge conferences.

The cost of this two-day event is only $299 for both days and access to all sessions. Even better, you can get a hotel-included package for $525, which includes a two-night stay at the Denver Renaissance Stapleton where the conference will be held. Register today before this conference sells out!
Read more ...

AAD Connect 1.3.90.0 is about to be released

Wednesday, March 27, 2019
Microsoft is about to release Azure AD Connect version 1.3.90.0 to all AAD Connect customers. Typically, they pre-release it to select customers through a limited release program using AAD Connect's auto-upgrade feature. When the telemetry comes back that the upgrade is successful they perform a general availability release to all customers a few days later.

To check which build you're running, run the following cmdlet:
(Get-Item 'C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe').VersionInfo
The output will look like this:



There are some significant improvements in this version. The ones I find particularly interesting are highlighted below.

New features and improvements

  • Add support for Domain Refresh
  • Exchange Mail Public Folders feature goes GA
  • Improve wizard error handling for service failures
  • Added warning link for old UI on connector properties page.
  • The Unified Groups Writeback feature is now GA
  • Improved SSPR error message when the DC is missing an LDAP control
  • Added diagnostics for DCOM registry errors during install
  • Improved tracing of PHS RPC errors
  • Allow EA creds from a child domain
  • Allow database name to be entered during install (default name ADSync)
  • Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  • Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for claims
  • Modified Default Sync Rule Handling – read more here.
  • Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. Read more about the Admin Agent here.
  • Updated the End User License Agreement (EULA)
  • Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  • Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  • Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  • Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  • Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.


Fixed issues

  • Fix the SQL reconnect logic for ADSync service
  • Fix to allow clean Install using an empty SQL AOA DB
  • Fix PS Permissions script to refine GWB permissions
  • Fix VSS Errors with LocalDB
  • Fix misleading error message when object type is not in scope
  • Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  • Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  • Fixed some memory leaks
  • Miscellaneous Autoupgrade fixes
  • Miscellaneous fixes to Export and Unconfirmed Import Processing
  • Fixed a bug with handling a backslash in Domain and OU filtering
  • Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

Read more ...

Clearing up confusion about Office 365 Equivalency Use Rights

Friday, February 22, 2019
You may have heard about "Office 365 equivalency rights" or "dual use rights". These rights allow users to access on premises servers, such as Windows Server, Exchange Server, SharePoint Server, and Skype for Business Server using their Office 365 E3 or E5 licenses.

Office 365 equivalency licenses only provide user use rights, not server rights. In other words, O365 licenses are equivalent to Exchange Server Client Access Licenses (both Standard and Enterprise) and Windows Server CALs, but you still need server licenses to run Exchange Server on Windows Server on premises.

One exception to this rule is that your Office 365 subscription let's you use the free hybrid key to run an Exchange hybrid management server. An important caveat here is that the hybrid server cannot be used to host user mailboxes and you may still need a server license for Windows Server. The free hybrid key is available to all Enterprise Office 365 customers, even if they get their license from the CSP channel which says it's "Not On Premises Capable -- Cloud only rights".


Microsoft used to have an authoritative website called, "Licensing How To: Using Office 365 user licenses to meet CAL requirements" that described how these equivalency rights work, but it became a casualty when Microsoft moved most documentation to docs.microsoft.com. Fortunately, you can still read a cached copy of that website from the web archive (for now, at least -- who knows how long that will last).

A suitable replacement for the now-gone licensing website is the Licensing Office 365 document. I include a copy of that PDF document here on my blog, just in case it falls to the same fate. ;)

Notable extracts from this document include the following about equivalent use rights:
  • “Office 365 E3 provides your users with the latest full Office across most devices, plus a wide range of integrated collaboration services coupled with advanced compliance features and full IT power. Office 365 Enterprise includes Office 365 ProPlus for up to five PCs or Macs, five tablets, and five smartphones. It also includes Exchange Online, SharePoint Online, Lync Online, and Yammer Enterprise—along with access rights to equivalent on-premises server workloads.(Page 3)
  • Note that all Microsoft 365 E3 and E5 USL license a user for access to Windows Server, but does not include a license for the Windows Server product itself.(Page 2)

Note that the title of the section is "On-premises server rights", but it should really be "On-premises user rights" since it only applies to the User Subscription License (USL).

Hopefully, this will help you answer some of your user CAL questions when you have an Office 365 subscription. I've seen some licensing providers say that you still need to buy user CALs, even when you have an Office 365 subscription that includes these equivalency rights.

Read more ...

Join me at COUCUG for a talk about the new Exchange patches

Wednesday, February 20, 2019

Join me Thursday, February 21st, as I present a session on Exchange Server patching, specifically around the new security patches just released. I'll be presenting to a live audience via Skype for Business at the Colorado Unified Communications User Group (COUCUG).

Where: 7595 Technology Way, Suite 400 Denver, CO 80237
When: February 21st, 4:00-6:00 pm
Who: Anyone interested in Microsoft Unified (Intelligent) Communications

Agenda (all times in Mountain Standard Time):

4:00-4:10 pm - Arrival and introductions
4:10-5:00 pm - Jeff Guillet and Exchange patching
5:00-5:20 pm - Dinner
5:20-6:00 pm - Jonathan and Exchange Online UM (the death of)


Thanks to our friends at Jabra for hosting dinner!
Read more ...