Azure AD Connect version 1.1.751.0 released for download only

Wednesday, April 18, 2018
Microsoft just published Azure Active Directory Connect version 1.1.751.0. This is a big fix version that resolves two specific issues:

  • Corrected an issue where automatic Azure instance discovery for China (21Vianet) tenants was occasionally failing.
  • For AD FS there was a problem in the configuration retry logic that would result in an ArgumentException stating "an item with the same key has already been added." This would cause all retry operations to fail.
Since these issues only affect a small number of users this build will not be deployed via Auto Upgrade. Affected users will need to download this version directly from the AAD Connect download site.

Read more ...

Cross-Premises Mailbox Delegation in Hybrid Office 365

Tuesday, April 3, 2018
Exchange hybrid organizations commonly ask about delegating mailbox permissions between on-premises and cloud users. I'm happy to say that this is finally becoming a reality. This is being rolled out to all Office 365 tenants by the end of April 2018.

Gone are the days when you had to migrate users with delegated permissions at the same time to keep delegation working when migrating to Exchange Online. To enable cross premises delegation you first need to configure it in Exchange on-prem with the following cmdlet:
Set-OrganizationConfig -ACLableSyncedObjectEnabled $true
This is all you need to allow an on-prem user to become a delegate of a cloud user's mailbox.

If you want to allow a cloud user to become a delegate of an on-prem user, you need to reconfigure the msExchRecipientDisplayType attribute for the remote mailbox in on-prem AD. This will allow the cloud user mailbox to become ACLable. The default value for a mailbox that has been migrated from on-prem to Exchange Online is -2147483642. This value must be changed to -1073741818.

The following on-prem cmdlet will change the value for a particular mailbox:
Get-ADUser -Properties msExchRecipientDisplayType | where {$_.msExchRecipientDisplayType -eq -2147483642} | Set-ADUser -Replace @{msExchRecipientDisplayType = -1073741818}
And this cmdlet will change the value for all migrated mailboxes:
Get-ADUser -Filter * -Properties msExchRecipientDisplayType | where {$_.msExchRecipientDisplayType -eq -2147483642} | Set-ADUser -Replace @{msExchRecipientDisplayType = -1073741818}
Once this is done, the cloud users can become delegates for on-prem users. Note that there is no need to force directory replication using AAD Connect. It just works.

Here's how this looks in Outlook. First, I'll show how it looks before I run the cmdlets.

Begin by clicking File in Outlook and then Account Settings > Delegate Access. This will open the Delegates dialog box.

Remote user is not ACLable

Click Add to open the Add Users window. Notice that my Jeff Guillet account has a red circle with a line through it. That means my mailbox is not ACLable. If I try to delegate to that mailbox I get the error, "The user cannot be added. Non-local users cannot be given rights on this server."

After I run the cmdlets above, I follow the same steps. Now my Jeff Guillet user account can be added for delegation.

Remote user is now ACLable.

I can now configure the level of delegation and optionally send the delegate an email summarizing these permissions.

For details on Full Access, Send-As, and Send-On-Behalf-Of permissions in a hybrid environment, please read Overview of delegation in an Office 365 hybrid environment.

Read more ...

Join me at the Microsoft Tech Summit in San Francisco March 19-20!

Friday, March 16, 2018

Please join me for the Microsoft Tech Summit San Francisco March 19-20, 2018 at the Marriott Marquis in downtown San Francisco. Register here.

On Monday, March 19, I'll be at the "Ask The Experts Networking Hour" at 5:45PM PDT. This will be an opportunity for attendees to interact and learn from industry peers and representatives from Microsoft.

Then on Tuesday, March 20th, I'll be presenting, "Running Exchange hybrid over the long term" at 10:45AM PDT.
When you connect on-premises Microsoft Exchange Server to Exchange Online through a hybrid environment, are you creating a short-lived bridge to migrate to the cloud? Or will this hybrid live on indefinitely, waiting for internal and external policy to support a cloud-only reality? Either way, make sure you catch this session to learn best practices of running a hybrid Exchange environment. Topics addressed include: maintaining hybrid across patching cycles and upgrades; accommodating changes to network models; adapting during acquisitions and mergers; and more.
While I'm there, you can reach out to me to see how EXPTA Consulting can help you with your IT projects. Please join me and I look forward to seeing you in San Francisco!
Read more ...

Storing email signatures in the Exchange mailbox

Thursday, March 15, 2018

A common complaint is that users must configure their email signatures every time they configure their mailbox on a new Outlook client or in OWA for the first time.

The current email signature behavior in Exchange and Exchange Online is that users must create new signatures every time they add a new mailbox in Outlook and in each of the Outlook apps. OWA already stores a text and HTML signature in the mailbox, but Outlook doesn't use it. OWA also does not provide for different signatures or a different reply signature like Outlook does. That's very inconsistent behavior.

In a recent discussion with the Exchange and Outlook product groups, the MVPs discussed a long-standing request - to store email signatures in the user's mailbox. Doing so will provide a centralized place to store and retrieve the signatures and provide consistency for the email clients that consume them (Outlook for desktop, Outlook on the web (OWA), and the Outlook apps (iOS and Android)). We are also requesting that signatures can be managed via PowerShell.

The product groups challenged us to show that customers want this by vote count on UserVoice. Please vote for the "Store Signatures in the mailbox" idea on UserVoice website to make your voice heard. I've written a spec for this feature, which I will be submitting to the PGs once the vote count gets higher. Our expectation is that this will work for both Exchange Server and Exchange Online.

Please up-vote this feature request and let's see if we can get this one done!

Read more ...

FREE Webinar: Top 10 Tips for Migrating to Exchange 2016

Wednesday, March 14, 2018

Have you recently migrated or are you thinking about migrating your organization to Exchange 2016? Join me for this recorded webinar as we discuss the top 10 tips and tricks.

Among other topics we'll discuss:
  • What features do you need from Exchange 2016?
  • What is the preferred architecture?
  • How important is running Jetstress?
  • Have you planned the Client Access and Hub transport cut-overs?
Dozens of questions arise when it comes to Exchange migrations. This webinar will provide answers, solutions, and the best insights accumulated over numerous migrations.

Head over to ENow Software to view this FREE webinar.

Webinar: Top 10 Tips for Migrating to Exchange 2016

EXPTA Consulting is available to help you with your Exchange 2016 or Office 365 needs. Contact us today to setup a call to discuss how we can help you!

Read more ...

Announcing AAD Connect 1.1.749.0 with new privacy and troubleshooting features

Thursday, March 1, 2018
Microsoft is drizzling out a new build of Azure Active Directory Connect via auto-upgrade to select customers. They often do this when a new build has significant changes to make sure it doesn't break in existing organizations that currently use AAD Connect. It will be available for all customers to download in the coming days/weeks as either an auto-upgrade or manual download.

The new version includes new privacy and troubleshooting features that were previously unavailable. The new privacy features are especially important for customers for customers affected by GDPR. Head on over to the Enow ESE Blog to read more and understand how these new features can help your business...
Read more ...

Warning - High number of corrupt items in hybrid migrations

Wednesday, February 14, 2018
UPDATE: This issue has been resolved, but the outcome was less than optimal. If you configured your mailboxes to migrate with a high message corruption limit and the mailbox move succeeded, those mailboxes will have data loss. Microsoft's "remediation plan" is the following:
What action do I need to take? If your migration failed, we recommend that you cancel and re-submit any affected migration requests and proceed with any migrations that were postponed. For migrations that completed with missing items, we have identified a remediation plan that admins can apply that will assist with restoring missing calendar items.

Admins will have a three-step process that they will need to take:
  1. Offboard the mailbox. 
  2. Restore calendar content into the mailbox using a New-MailboxRestoreRequest command. 
  3. Onboard the restored on-premises mailbox back into Exchange Online. 

My original post follows:

I'm publishing this article as a public service announcement since Microsoft is not warning customers in the Office 365 Service Health Dashboard.

Beginning last week, we noticed that hybrid mailbox moves to Exchange Online started failing with a very high number of corrupt items, usually calendar items. The default limit for corrupt items is 10 in a hybrid mailbox migration. It's not unusual for some mailboxes have one or two corrupt mail items, usually calendar items, for mailboxes that have been around for a long time. But suddenly mailbox moves are starting to fail with hundreds of corrupt items.

Migration Batch Status

Migration Report Details 
I've seen this myself in my own tenant, as well as other customer's tenants. It's also being reported by customers in the Microsoft Online: Exchange Online forum. We know it's not a problem with the mailboxes because we can move them between Exchange on-prem databases without any corrupted items being detected.

I and other MVPs have opened support tickets, but they seem to have fallen into black holes. We're getting very little response and the issue still doesn't show in the O365 SHD as of the time of this article. So far, we've found that tenant versions 15.20.485.17, 15.20.506.17, and 15.20.527.17 are affected. To find out which version your tenant is, run the Get-OrganizationConfig | ft AdminDisplayVersion cmdlet in remote PowerShell.

Determine Tenant Version
WARNING: A lot of customers simply increase the corrupt item limit high enough to get the mailbox move to succeed, but that may mean a lot of data loss. I do not recommend that you do this until this issue is fixed.

If you have increased the corrupt item limit to get the migrations to complete, you can retrieve the non-migrated data from the soft deleted mailbox on-premises. See Connect or restore a deleted mailbox for details.

Microsoft has finally updated the Service Health Dashboard to show there's a problem. And they indicate that this affects all mailbox migrations since January 30, 2018!

It took over two full weeks for this issue to service on the SHD. I don't know about you, but I think this is totally unacceptable.

Read more ...