Important announcement about AAD Connect password writeback

Friday, October 5, 2018

If you are using an older version of Azure AD Connect and have password writeback enabled please ensure you are using the latest version.

Azure AD Connect versions 1.0.8641.0 and older rely on a service that will be retired on November 7th, 2018. For more information please read, How to: Migrate from the Azure Access Control service. If you are using AADC version 1.0.8641.0 or older and have enabled password writeback, your users may lose the ability to change or reset their passwords at that time.

To address this issue, you should upgrade the Azure AD Connect instance for their organization.

AAD Connect 1.0.8641.0 was released June 2015. I certainly hope that you have upgraded your AADConnect since, but it's worthwhile checking to make sure you are not impacted.

To check the version of AAD Connect, use File Explorer to navigate to C:\Program Files\Microsoft Azure Active Directory Connect and check the properties of the AzureADConnect.exe file. The latest version of AAD Connect, as of this writing, is 1.1.882.0.

You can download the latest version of Azure AD Connect using this link:

To read more about upgrading Azure AD Connect to a newer version, please read Azure AD Connect: Upgrade from a previous version to the latest.

Read more ...

How to block external access to the Exchange Admin Center

Tuesday, October 2, 2018

When I was at Microsoft Ignite last week, several customers asked me how to block external access to the Exchange Admin Center. These customers have already completed all their mailbox migrations to Exchange Online and understand they'll need to keep that last Exchange server on-prem as a management server to manage mailboxes, groups, contacts, etc. But now that everyone in their organization has been migrated to Exchange Online, there's no need to allow external access to the hybrid servers for OWA or ECP.

There are several ways to do this:

  1. Remove the OWA/ECP namespace from external DNS so external clients can't resolve the FQDN
  2. Disable external EAC access on all ECP virtual directories using the following cmdlet (thanks to @markes20754 for reminding me) :
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdminEnabled $false
Note that the command above will disable EAC on all Exchange servers, both internally and externally. You'll need another internal server for administration.

The third way is to limit access to only internal IP addresses using IIS, as shown below:
  • Start by adding the IP Address and Domain Restrictions feature to the Web Server (IIS) role in Server Manager for each Exchange 2013/2016 hybrid server in the org. This does not require a restart.
  • Open Internet Information Services (IIS) Manager and expand Default Web Site to the ECP virtual directory.
  • Double-click IP Address and Domain Restrictions and click Add Allow Entry on the Actions pane and enter the range for your internal LAN. In the following example I've configured the LAN network.
    • Optionally, you can add other public IP address(es) that you want to allow access from.
    • Click Edit feature settings on the Actions pane. Under Access for unspecified clients select Deny and select the type of error message users see in their browser when they are denied. In the example below, I selected Abort.
    • Enable Proxy Mode allows IP addresses to be blocked not only by the client IP that is seen by IIS, but also by the values that are received in the x-forwarded-for HTTP header. Enable this option if SNAT is enabled on your load balancer.
    • Repeat for the OWA virtual directory.
    • Repeat the steps above for each Exchange hybrid server.
    Now if the Exchange Admin Center is accessed externally users will get an error:

    1. This change goes into effect immediately. There’s no need to restart IIS.
    2. Only do this after all your user mailboxes have been migrated to Exchange Online since doing this will prevent users with mailboxes on-prem from using OWA and will break free/busy sharing coexistence with on-prem users.
    3. Exchange 2019 does not publish the Exchange Admin Center externally by default. You need to manually configure it to do so. See Exchange admin center in Exchange Server 2019 for more details.

    Read more ...

    User-based MFA vs. Conditional Access MFA

    Monday, October 1, 2018
    Thank you to everyone who attended my two sessions, "How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less" at Microsoft Ignite 2018 in Orlando! The first session was recorded and is available on YouTube. I wanted to post a follow-up article to those presentations.

    There are two ways to configure users for multi-factor authentication (MFA) in Azure Active Directory -- user-based MFA and using conditional access. In my demos I used user-based in the interest of time, but most customers will usually use conditional access in production.

    When you configure a user for user-based MFA, users are always prompted for MFA whenever they access a cloud resource, such as Exchange Online, SharePoint, Teams, etc. It's either on or off. You can configure a user for user-based MFA from the Azure AD Portal. Click Multi-Factor Authentication at the top of the Users blade.

    This will open a new tab for the user-based MFA configuration page.

    From here you can enable users for MFA. As mentioned above, this will configure the user for MFA every time they access a cloud resource. It also will break access for any apps or protocols that don't support MFA, such as ActiveSync.

    A better option is to use conditional access. Users will be prompted for MFA when the conditional access policy applies to them. Users do not (and should not) be configured for user-based MFA for conditional access (CA) policies to work. If user-based MFA is enabled, it will override the CA policies for that user.

    You configure CA rules from from the Conditional Access blade in the AAD portal.

    Configure the Assignments for the CA policy (who and which apps get it) and configure the Access Controls to Grant access and Require multi-factor authentication.

    MFA will now happen whenever the CA policy is triggered. For further information please see the article, "Quickstart: Require MFA for specific apps with Azure Active Directory conditional access".

    Note that there are two places to configure trusted networks and IP addresses, where MFA will not be used - one for user-based MFA and another for conditional access. These two settings are unique for each configuration and do not affect each other. You configure can configure both CA named locations and user-based MFA trusted IPs in the new Conditional access > Named locations blade.

    Read more ...

    Got 20 minutes to secure Exchange Server?

    Friday, September 21, 2018

    Going to Ignite? Got 20 minutes to see how easy it is to secure Exchange on-premises? Come see my theater session, "How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less".

    Securing Exchange doesn't have to be hard. Learn how to dramatically increase your organization's security posture in just 20 minutes. In this fast-paced session, learn how to use conditional access and MFA to easily secure Exchange Online and Exchange on-premises, including demos of the end-to-end user experience. We cover authentication, how to configure Azure Active Directory and Exchange, licensing, and other requirements.

    Add these sessions to your Ignite Schedule Builder!

    Monday, September 24, 3:25 PM - 3:45 PM, Expo Theater #11
    THR3024 - How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less

    Thursday, September 27, 3:25 PM - 3:45 PM, Expo Theater #12
    THR3024R - How to add MFA to your Exchange on-premises or Exchange Online mailboxes in 20 minutes or less (REPEAT)

    So far over 1,400 people have added THDR3024 to their schedules. That's a lot of folks! Be sure to come to the THR3024R repeat session on Thursday if Monday's is too crowded. I look forward to seeing you there!

    Read more ...

    Minor update for AAD Connect customers who use SQL

    Tuesday, September 11, 2018
    Azure Active Directory Connect version 1.1.882.0 has been released.

    This build fixes an issue where Azure AD Connect upgrade fails if SQL Server Always On Availability is configured for the ADSync database.

    This version will not be available for automatic upgrade. If this issue affects you, you will need to download and install the new version manually.
    Read more ...

    Outlook 2016 support in Office 365 after Oct 13, 2020

    Friday, August 31, 2018

    UPDATE, Sept. 6: Microsoft has updated its Office support statement. Read Helping customers shift to a modern desktop:
    Office 2016 connectivity support for Office 365 services
    In addition, we are modifying the Office 365 services system requirements related to service connectivity. In February, we announced that starting October 13, 2020, customers will need Office 365 ProPlus or Office 2019 clients in mainstream support to connect to Office 365 services. To give you more time to transition fully to the cloud, we are now modifying that policy and will continue to support Office 2016 connections with the Office 365 services through October 2023.

    What a difference a word makes.

    On April 20, 2017 the Office Blog wrote an article about Office 365 system requirements changes for Office client connectivity. It references the updated System Requirements for Office, which states:

    “Effective October 13th, 2020, Office 365 will only allow Office client connectivity from subscription clients (Office 365 ProPlus) or Office perpetual clients within mainstream support to connect to Office 365 services. (Please refer to the Microsoft support lifecycle site for Office mainstream support dates.)”
    The blog says this "will make it easier for enterprises to deploy and manage Office 365 ProPlus". Perpetual clients is the term for traditional MSI-installed Office, usually from media or a UNC share.

    The problem is the word "allow" should be "support". "Allow" implies that Microsoft will actively block all connectivity from Office clients that are not in mainstream support. According to the Microsoft Lifecycle Policy, Microsoft Office 2016 mainstream support ends 10/13/2020.

    Even the beginning of the System Requirements for Office is at odds with the statement above. It says:
    "Office 365 is designed to work best with Office 2016, Office 2013, and Office 2016 for Mac. Previous versions of Office, such as Office 2010, Office 2007, and Office for Mac 2011 may work with Office 365 with reduced functionality."
    This is the traditional support statement we've seen for years. You can continue to use legacy versions of Office with Office 365, you just can't get support for it. If it works, great. If it doesn't, upgrade.

    Of course, Microsoft's and my own recommendation is to use the latest and greatest versions of Office. In particular, you should be using Office 365 ProPlus, especially for users who use Office 365. But there are a lot of enterprise and SMB customers who still buy Office using perpetual licenses. They like the fact that they own it and don't have to pay for a monthly subscription per user. Some hybrid customers have a large number of seats on-prem, without having to pay for Office 365 ProPlus licenses for these users. Some SMB customers have Office 365 plans that don't include Office 365 ProPlus.

    Recently, I've heard from customers that Microsoft Office 365 Support is telling them that Office 2016 won't be able to connect to Office 365 after October 13, 2020 and are referencing this support statement. That's heavy-handed fear mongering and it has to stop.

    I'm currently in conversations with the Exchange product group about the new support statement. We agree that the word "allow" should be changed to "support", but they don't control the website or message - the Office Team does. We're still in talks, trying to get the word changed. I'll let you know here how that goes...

    Read more ...

    Announcing the 11th Annual UC Roundtable at Microsoft Ignite!

    Saturday, August 25, 2018

    I'm pleased to announce the 11th Annual UC Roundtable at Microsoft Ignite 2018 in Orlando!

    A one-of-a-kind conference deserves a one-of-a-kind opportunity to network with your peers.

    The purpose of the UC Roundtable is to gather Exchange, Office 365, and Skype for Business/Teams admins, MCMs, MVPs, Exchange product group members, architects, and experts for a free-flowing discussion about issues, questions, and experiences related to collaboration. If you work with these technologies you need to be here!

    Monday, September 24th from 7:00PM to 8:30PM EDT
    We'll be meeting in the outdoor area of Marlow's Tavern at 9101 International Dr, Lower Level -- just a short 10 minute walk from the Ignite convention center.

    The UC Roundtable is going old school again this year! This will be a no-host event. Order your own beer or a bite to eat before you leave for the evening's parties. Please RSVP to so I can tell them how many people to expect.

    Help spread the word on Twitter and I hope to see you there!

    Read more ...