We have migrated to Office 365 and Exchange Online a while ago. It was working fine on our mobile phones (email, Skype for Business, etc.). But a few months ago we had to update SSL certificate on our website, which is the same domain name we use for our email. Its DNS also hosts a few Office 365 related records. And after updating certificate to a new one problems started appearing on mobile. Already setup clients were fine. But adding fresh Exchange account on a new phone resulted in weird SSL errors. Sometimes it somehow magically worked, but most of the time it was showing a warning for less than a second and then an error. That’s on Android. iOS simply showed an error that it can’t check the cert and that’s it. Skype for Business was also showing a warning, but at least there was a checkbox to accept it anyway. I was puzzled as website was working fine in browsers, no complains about it being not trusted. OWA and Outlook on PC also worked fine. This time we have purchased a wildcard certificate, so i thought maybe this is related. Lastly i had an idea, that maybe our certificate is new and phones don’t have some intermediate certificate to be able to check it. Although updating phones to latest updates didn’t help. I was going to file a support request with Microsoft. Until..
As Azure AD Connect version 1.1.647.0 has been released recently, it was mentioned in the release notes, that before that version it was erroneously leaving Password synchronization enabled in Configure synchronization options window, if admin had enabled Passthrough autenthication in Change user sign in window. PTA (Passthrough authentication) means, that instead of regularly syncing hashes of passwords hashes from your local AD to Azure AD for your users able to authenticate to Office 365 apps and services, upon a user trying to authenticate, it would instead send a request to AD Connect, which will query your local AD and compare the hashes. So, in that case no passwords (or hashes of hashes of passwords as MS advertises) are stored outside of your network in the cloud. This lets you avoid complex setup of ADFS and have same functionality with a simple AD Connect service. In theory..
That’s not exactly my usual tip article for Office 365, but i thought i should still share this information. In July Office 365 client (MS Office suite) in the Current Channel has been updated. They have added a realtime collaboration feature (as well as AutoSave) to Excel application. This made possible to work with Excel document the same way as it was possible in Word before. Although a number of conditions must apply. First the file should be stored in OneDrive or SharePoint Online. And you also has to access it via a browser and then select to edit it in MS Excel. Opening a file from your OneDrive folder on your PC doesn’t activate those features. That’s all cool and dandy (although while trying it in Word we have found that it often doesn’t work that well). But this also gave the reason for MS to remove older features like Share Workbook and Tracking changes from the Office Ribbon in Excel. These features allowed to get a somewhat similar (although not realtime) results, but when files are stored on a Windows share or sent via email. In our company we are still heavily using Share Workbook feature, so it was an annoying thing to find out. Fortunately MS wasn’t dumb enough to completely remove them. One can still find these buttons in File > Options > Customize Ribbon > All Commands and add them to a custom tools group (you can create that group in the same place these buttons were before). The buttons have “(Legacy)” label attached to them. So this explains MS’s thinking to retire these features in favor of the new ones, which encourage to use their cloud services even more.
After using XMPP (“Jabber”) for 15+ years it is sometimes hard to wrap around some principles Microsoft communication tools work. We were used to have full control of our users contact lists. This meant every user had a list of groups with contacts (we usually had all the employees there divided into departments). When someone would leave the company, switch departments, change the name, we (admins) would change that and it would automatically appear for everyone. Now, with Skype you don’t have that. The idea is you should know better who you need to have on your contacts and you should search and add them yourself. I can see some sense in that. You probably don’t need every coworker there, but users are lazy, new employees wouldn’t know whom to add, etc. There could be an option to do one way or another. But there is none.
User’s last name change was never a trivial change for us. There are so many places and systems, that have to be updates. Some require to change the name, some even require to create a new user and delete old one. With the on-premises Exchange we were used to just rename the user in AD (leaving its username (pre-Win2000 UPN) the same) and then create new mail alias and make it primary. Recently i had to do this for a synced Exchange Online user and that was “fun”. For the most part it worked fine. But i’m already developing a habit, that sometimes with MS cloud services you just have to wait for things to start working. Say you just setup new OneDrive user and try to share a file. It doesn’t send sharing notification emails? Try next day. It should work then.. Read More
I have read some pretty recent article, that you almost must still have an on-premises Exchange installation to manage mailboxes in Exchange Online after you have migrated to Office 365. I have also heard that in order to have a new shared mailbox, you have to first create a regular one and then convert it. Well, some of these things might worked this way in the past and some might be just a matter of convenience. But everything is much simpler now. Although, we are still in the Hybrid mode and some things might change once we finally get rid of our on-premises Exchange.
To create a shared or room mailbox you just do that – go to EAC (Exchange admin center in Office 365 portal), go to shared or resources and create a shared mailbox (assign an address and permissions for users who will use this shared mailbox) or a room. When saving new shared mailbox it shows me a warning that it failed to replicate it. But it actually creates it and you can open it via OWA pretty soon. It took 15-20 minutes for it to actually appear in Outlook of a user having permissions to it. Same goes for the rooms. It takes some time. Longer than with on-premises Exchange, but it eventually appears in Outlook. Read More
This is not a usual issue and in my case happened only once during some experimentation. But it still can happen. We have our AD objects synchronized into Azure AD via Azure AD Connect service. When you delete a user in your local AD, after a synchronization it is moved into Deleted users container in Azure AD (Admin center > Users > Deleted users). You can even restore a user via graphical interface in Office 365 admin center. Though i haven’t tried this, as this might not play well with our setup. But you can’t delete users from Deleted users in there. They will disappear after a 30 days period. If you still need to remove a deleted user right away, there is a PowerShell command for that. To do this you have to install Azure AD PowerShell Module, which i have mentioned here.
When i started digging deeper into some aspects of Office 365 i have discovered an interesting and a bit weird (in my opinion) thing. It wasn’t a surprise that some advanced changes are only possible via PowerShell (Microsoft is pushing its shell for many years). But there is no unified, single PowerShell module to manage all the services. You almost have to install and use a separate module for every service. Some of them have different procedures to login. That’s a jarring experience. I will try to describe a few of them that might be useful. Especially when dealing with support, which often asks for an output for some PShell commands on your tenant. Personally i install them all on the same server running Azure AD Connect, as none of my workstations were running 64-bit OS at the moment (and many of these modules, if not all, require x64) and i decided to keep everything related to Office 365 in one place. Read More
Microsoft and its partners advertise Exchange Online and Outlook.com as having one of the best spam filtering. Well, every email service brags about it. But in reality things are not so good. Prior to switching our incoming and outgoing email traffic to Exchange Online we were using a local hosted solution. Well, we are still kind of using it as not all mailboxes have been migrated yet. But all the filtering is done on the cloud side now. Hosted solution consists of Exchange 2013 server and IronPort firewall/anti-spam. This is managed by a service provider and we do not have control of it (aside of creating mailboxes and tweaking some minor stuff). We had a number of filtering rules created for us by our providers. It wasn’t perfect. IronPort seems to not be that flexible. But as we have switched to Exchange Online the hell broke loose.. Well, not that bad actually. But we certainly saw the increase of spam. And sometimes it allowed emails with just a link to “learn how to please your girlfriend” to come through. Well, i wouldn’t call SUCH filtering as a first class service 🙂 Read More
If you have used an on-premises Exchange server before, then moving aliases is a trivial task. But, if you are synchronizing your AD information into Azure AD (e.g. with Azure AD Connect service), so you could assign Office 365 licenses and services to your users, then things become a little bit trickier. As mail aliases and main addresses are the attributes of your internal AD users and the information is only synced in one direction (from your on-premises AD to Azure AD). So, you can’t add or change aliases in the Exchange Online administration center for the existing mailboxes. This change has to be applied in your AD environment and then synced to Azure AD. This can be achieved by opening the AD user properties window and going into Attribute Editor tab (if it is not there, you have to first enable View > Advanced Features in your Active Directory Users and Computers snap-in). In that tab you have to find the ProxyAddresses entry, mark it and press the Edit button. Then you can add or remove aliases. Alias is added in the form of smtp:firstname.lastname@example.org. User’s main address starts with a capitalized SMTP part. When you add an alias address in here, it won’t automatically appear in Exchange Online. You have to wait for the synchronization with Azure AD to occur. When using Azure AD Connect automatic synchronization occurs every 30 minutes. You can also do a manual sync with this PowerShell command:
Start-ADSyncSyncCycle -PolicyType Delta