EMS license assignment to all users made easy

So you’ve purchased Microsoft’s Enterprise Mobility Suite (EMS) licenses, now you need to assign them to users within your organization. A typical situation will be that you already have Office 365 licensed users, and it make sense that all of them will get EMS licenses too.

To achieve this, I would suggest using an Azure AD group with Dynamic Group membership. in this example, the group will include accounts that match ALL these conditions:

  • Enabled users accounts
  • Users with an email address
  • Users with a-non empty Usage Location
  • Synchronized user accounts

Within the Azure AD management portal (http://manage.windowsazure.com) navigate to your Active Directory tenant, and perform the following:

  1. Create a group in Azure AD
  2. Enable it for Dynamic Membership
  3. Enter the advanced rule: (user.accountEnabled -eq “true”) AND (user.mail -ne $null) AND (user.usageLocation -ne $null) AND (user.dirSyncEnabled -eq true)
  4. Assign EMS licenses to the Group

You can read more about Dynamic Group Membership here:

http://blogs.technet.com/b/ad/archive/2015/03/09/attribute-based-dynamic-group-membership-for-azure-ad-premium-is-now-in-preview.aspx

https://azure.microsoft.com/en-us/documentation/articles/active-directory-accessmanagement-groups-with-advanced-rules/

You can also assign licenses with the following methods:

  1. Using the Office 365 Portal – like you would add Office 365 licenses.  This was made available late 2015 – http://blogs.technet.com/b/microsoftintune/archive/2015/09/01/intune-and-ems-subscriptions-now-available-in-the-office-365-portal.aspx
  2. Using Azure AD PowerShell – http://blogs.technet.com/b/treycarlee/archive/2013/11/01/list-of-powershell-licensing-sku-s-for-office-365.aspx ,you can use the following example to assign EMS licenses (with all options) only to users with an Office 365 E3 license:
    $EMSSKU = (Get-MsolAccountSku | ? { $_.AccountSkuID -like "*:EMS"})[0].accountSkuId
    Get-MsolUser -All | ? { $_.licenses.accountsku.SkuPartNumber -eq "ENTERPRISEPACK"} | Set-MsolUserLicense -AddLicenses $EMSSKU
  3. Azure AD Graph API – https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations#FunctionsandactionsonusersAssignalicensetoauser

Enjoy

ilantz

High Resolution User Photo Synchronization to Office 365

There are some known limitation and inconsistency with user photos synchronization from Active Directory (using the thumbnailPhoto attribute) to Azure AD and Office 365 apps: Exchange, SharePoint and Skype for Business (aka Lync), specifically if you want to upload high resolution photos of your users that will span across all of Office 365 services.

After spending some research time around this issue, here are my findings:

So to summarize at this point, we want to import high resolution photos to our users. If we rely on the thumbnailPhoto attribute value from Active Directory, we will end up with low resolution images (needs more JPEG effect) or inconsistent results if we look on the SharePoint case.

To upload high resolution photos to Office 365, you should use Set-UserPhoto. This approach works great for Exchange Online, Skype for Business and Azure AD. Although promising, my testing (and others..) showed that if your users’ photos were previously synced to SharePoint Online – they will not necessarily be updated using this method.

Here is my take on solving this, in a somewhat chronological order:

  1. If you need your on-premises thumbnailPhoto attribute populated, keep your current practice of maintaining them.
    1. To avoid future inconsistencies – use “Azure AD app and attribute filtering” to filter out thumbnailPhoto using Azure AD Connect – Custom installation of Azure AD Connect
  2. Utilize the Set-UserPhoto cmdlet in Exchange Online PowerShell to upload your users high resolutions (648×648 px) photos
    1. Note Uploading High Resolution Photos using PowerShell for Office 365 to workaround – “The remote server returned an error: (413) Request Entity Too Large” error if you get this.
  3. To upload your users high resolution photos to SharePoint online use the Core.ProfilePictureUploader sample app from the OfficeDev PnP GitHub repo.
    1. To make this easier to non coders 🙂 I’ve complied the code sample for your usage – http://ilantz.com/files/Core.ProfilePictureUploader.zip
      1. Get the source code here and also make sure to read the FAQhttps://github.com/OfficeDev/PnP/tree/master/Samples/Core.ProfilePictureUploader
      2. Follow the explanations in the GitHub page link above around how to run the utility (configuration.xml , the CSV input file and the command syntax).
      3. Make sure your pictures are JPEG files…
    2. This sample app is also documented here, with some additional explanations – Upload user profile pictures sample app for SharePoint

That’s it !

Hope this helps anyone, please comment if it did.

ilantz

How to reset OneDrive for Business when it’s crashing constantly

Recently I’ve messed with my Windows 8.1 profile account, and shortly after my OneDrive for business client started crashing in a loop… it just went crazy, filling my notification area with icons failing to stop. I had no way to reach any menu or remove the folders I’m syncing.

I’ve tried the easy (lazy) way of repairing / uninstalling / removing Office 365 ProPlus (in my case) which turned out useless.. did some manual clean up of registry entries, removed caching files and obviously looked-up forum threads and KB’s which also turned out as you’ve guessed it – useless…

Almost desperate, I’ve turned to the all mighty Process Monitor and started debugging the errors.

Thru closely examining the endless output of entries, I’ve spotted an undocumented registry entry that was being checked by the Groove.exe (which is your OneDrive sync process) upon start-up.

So there I was, crossing fingers,  editing the registry hoping… and BINGO! I have performed a reset to the OneDrive for Business client, and it behaved like the first time I’ve opened it up.

Here it is, Add/Modify these two DWORD values:

[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Groove]
"FirstSyncComplete"=dword:00000000


[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Groove\Development]
"IsResyncEnabled"=dword:00000001

Hope this post will help more good folks out there.

ilantz

The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine

Update 2 – February 24th 2016 – The new February AD Connect release has no schedule task anymore. So we now have a new command in the ADSync module – Start-ADSyncSyncCycle.

To initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:

Invoke-Command -ComputerName DirSync-Server.domain.com -ScriptBlock {& Import-Module ADSync;Start-ADSyncSyncCycle}

Update – July 7th 2015 – For those who have installed the latest AADSync – Azure Active Directory Sync or AD Connect – Azure Active Directory Connect

There has been another change to the module name, it is now ADSync. and the great news is that forcing replication will no longer be a PowerShell cmdlet.

To initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:

Invoke-Command -ComputerName DirSync-Server.domain.com -ScriptBlock {& "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"}

If you’re looking also to force a full password sync to Azure AD , visit this page – How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync


Just noticed now that the new build of Windows Azure Directory Synchronization Tool, is missing the DirSyncConfigShell.psc1 file.
Moreover, the Coexistence-Configuration PSSnapin is also gone. Trying to add the pssnapin would generate the error – The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine.

So if you’ve trying to use the known way to force a synchronization with DirSync, use these PowerShell commands to achieve what you were used to.

Import-Module DirSync
Start-OnlineCoexistenceSync

import-module-dirsync

enjoy !

This message could not be sent – Error 0x80070005 – Office 365 | Report non-inherited Send-As permissions script

After a few incidents from Office 365 deployments, I’d like to share this issue to help anyone facing it.

If you or anyone of your users tried to send an email and use the “From” option to send as another recipient you might face NDR’s (non delivery reports) which will include these errors:

  • Delivery has failed to these recipients or groups
  • This message could not be sent. Try sending the message again later, or contact your network administrator.  Error is [0x80070005-00000000-00000000]

Using Exchange Server Error Code Look-up (Download Err.exe), 0x80070005 resolves back to MAPI_E_NO_ACCESS or E_ACCESSDENIED which bring us to the actual cause of the issue.

SendAs / Send-as permissions are not retained in migrations to Office 365 just because it is based on an ACL set in Active Directory and ACLs are not synced to Office 365.

To add a SendAs permission use the Add-RecipientPermission cmdlet with Exchange Online Remote PowerShell or use the Exchange Admin Control Panel and add the Send As permission from the “Mailbox Delegation” menu.

Add-RecipientPermission "Help Desk" -AccessRights SendAs -Trustee "Ayla Kol"

See the full reference about the command here – http://technet.microsoft.com/en-us/library/ff935839(v=exchg.150).aspx

As a result of this issue, I’ve created a small script to report which recipients (of any type) have non inherited SendAs permissions ACL’s.  You can later use the report to re-create the permission in 365.

Download the script here: http://gallery.technet.microsoft.com/Report-non-inherited-Send-86ab658b

 

Setting Office 365 UsageLocation value using the Country attribute value

Hi,

Since Office 365 projects started, setting users` licenses with scripts has been somewhat of an issue.

There are great scripts out there to automate assigning licenses to users, but the prerequisite of assigning an Office 365 license to a user is to choose the Usage Location for that user. When dealing with several dozens or hundreds of users that might be fine, but for large scaled deployments this becomes also an issue. and I’ve decided to script it and share this in case anyone will need this as much as I did.

This script is has a really simple logic, trace down the Country attribute value for each user, match that with the two letter country code (required for the PowerShell Set-MsolUser command) and set that value for the user.

I’ve worked up to match the list from https://www.iso.org/obp/ui to the countries available for selection within the Office 365 portal.

Keep in mind that the script will not handle any spelling errors, so be sure to maintain the country value BEFORE you run this script. If you are using Directory Synchronization this should be more productive as your Active Directory will also benefit from this move…

The script will try to find an exact match of the country value, although – case Insensitive.

grab it here: http://gallery.technet.microsoft.com/office/Setting-Office-365-Usage-4d685175

Please share your comments if you have any, I would love hearing this script is being used.

ilantz

Exchange Hybrid Configuration failed with error Subtask Configure execution failed

Hi Again,

While setting up the Hybrid Configuration Wizard on an Exchange 2010 server for Office 365, I’ve encountered this error:

[2/4/2014 13:36:8] INFO:Running command: Get-FederationInformation -DomainName 'contoso.mail.onmicrosoft.com' -BypassAdditionalDomainValidation 'True'
[2/4/2014 13:36:8] INFO:Cmdlet: Get-FederationInformation --Start Time: 2/4/2014 3:36:08 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --End Time: 2/4/2014 3:36:16 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --Processing Time: 7690.8.
[2/4/2014 13:36:16] INFO:Disconnected from On-Premises session
[2/4/2014 13:36:17] INFO:Disconnected from Tenant session
[2/4/2014 13:36:17] ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships.


Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.


Operation is not valid due to the current state of the object.
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.


Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_4_2014_13_35_39_635271177398297855.log.

Looking at the application log in the Exchange server showed an Event ID 403 with source MSExchange Common:
The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

After checking of course, the Federation certificate was just created… and is indeed valid…..

All that was required was a quick “restart” to the application pools on the server, I usually just restart the MSExchangeServiceHost and MSExchangeProtectedServiceHost services. after that the wizard completed successfully 🙂

Hope this helped anyone,

ilantz

Manually adding a secondary SMTP proxy address for hybrid Exchange Online and Office 365

Update – 05-02-2015 – Thanks for the feedback about this post, some more work has been done, please download the new version…

Update – 07-30-2014 – Thanks for the feedback about this post, I’ve republished the code. it is now wrapped as a script and also logs results to a log file. download the new version…

I’ve been busy with more Office 365 and Hybrid Exchange Online deployments and came up with a script I hope will help some of you out there.

While deploying an Hybrid Exchange Online setup, one of the steps the Hybrid Configuration Wizard is doing is modifying the email address policy and adding “alias@tenant.mail.onmicrosoft.com” to the relevant EAP policies. This is great although there’s a good chance you have some mailboxes that are set with EmailAddressPolicyEnabled:$false

I’ve written a function script that will help you add the additional secondary SMTP proxy address to those mailboxes easily 🙂

Here’s an example on how to use the script:

.\Add-OnMicrosoftSMTP.ps1 -Tenant:ilantz

The script will require your “Tenant” name, for example – if your Office 365 tenant is ilantz.onmicrosoft.com, enter ilantz as the tenant name. Once entered it will find all mailboxes with the property EmailAddressPolicyEnabled:$false and have no routing SMTP address like *@tenant.mail.onmicrosoft.com (following the default Exchange Hybrid Configuration Wizard settings).
Then the script will add the required SMTP proxy address following the PrimarySmtpAdress prefix, if that SMTP proxy address is already taken, the function will add a random 5 digit number to the prefix – John.Doe12345@tenant.mail.onmicrosoft.com.

The script will catch and display any exceptions that may occur during the process. and will automatically log the results to a log file.

Get the script here – http://gallery.technet.microsoft.com/Office-365-Add-Exchange-14c7f0c3
Revision History
——————————————————————————–

1.0 – Initial release

1.1 – Updated and rewritten as a script instead of a function which caused confusion

1.2 – Added Logging of successful addresses being added and failures

1.3 – Updated with server-side filtering to get all relevant users for better efficiency,
an updated logging mechanism and using now the PrimarySmtpAddress prefix value for the routing address.

Enjoy !

ilantz

The Outlook Web App address is out of date – Office 365 Hybrid

Quick note from the field..

I’ve encountered an issue with an Exchange 2010 and Office 365 Hybrid configuration, users that were moved to Office 365 and tried to reach the original On-Premise OWA URL were receiving an error – The Outlook Web App address https://owa.domain.com/owa is out of date.

The Outlook Web App Address Is Out Of Date

What should have happen is that the OWA will offer the users to use the URL configured on the TargetOwaUrl parameter on the Organization Relationship to the Office 365 routing domain. After some digging I’ve realized that this hybrid setup was performed using the manual steps that were documented for Exchange 2010 SP1, so the Hybrid Configuration Wizard did not do it’s magic….

Anyhow, after comparing this setup with a working hybrid configuration including the OWA redirection, I’ve noticed that the TargetOwaUrl value did not had xxx/owa/xxxx in it’s URL.

So instead of http://outlook.com/owa/domain.mail.onmicrosoft.com – I’ve had http://outlook.com/domain.mail.onmicrosoft.com

So after running Set-OrganizationRelationship -TargetOwaURL “http://outlook.com/owa/domain.mail.onmicrosoft.com” the redirection worked as expected.

Hope this helps out anyone,

ilantz

See also: Simplify the OWA URL for Office 365 Hybrid