Remove orphaned delegation permissions of a deleted user in Exchange Online mailbox

You might think that a user’s delegate permissions for other mailboxes will be removed up on deleting the account in the Azure Active Directory, apparently it wasn’t in my case.

access20delegation-01_thumb

Scenario:

Location – Calendar folder of ‘manoj@mantoso.live:\Calendar’

Delegated editor permissions to – ‘Marie Jonas’ (Abandoned identity after AD account deletion)

Even though this particular account was permanently deleted from Azure AD after 30 days of marking deletion, the delegation access (editor) to other users’ Exchange mailboxes remained intact which caused the following strange behaviors that I had to get rid of.

  • Others can still spot this user’s name in the calendar invites
  • Possibly in other various occasions too based on the permissions the user had before deleted

Here’s the PowerShell command to fetch the permissions of a specific location. This will list down all the delegated permissions of ‘Manoj’s’ Exchange calendar. In my case, the abandoned user also popped up in the results.

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" 

e.g0.1

Now, to dig further down to be more specific to this mysterious user, let’s run this command

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" | where {$_.user.tostring() -like "Marie Jonas*"}

e.g0

This means the permission thumbprint is intact even after the account was permanently deleted which is a mystery. Now to get rid of this, we can use this command below. I tried several other approaches from various Microsoft articles and forum posts but none of them worked but the following.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

After running that with no errors/warnings. I ran Get command again to verify if it really was a success. And Yes ! Nothing returned, which means the permissions are now cleared for this abandoned identity of ‘Marie Jonas’.

2

Allowed it a couple of hours, her name disappeared from the calendar invites as well.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

Removing orphaned OneDrive secondary site collection admins

This is a scenario where, the user was deleted from Azure AD months ago but the OneDrive secondary site collection administrator permission assignments (OneDrive secondary admin) were intact as a thumbprints. This target account  supposed to be a service account utilized during a file server migration project and apparently assigned with OneDrive secondary site collection admin permission across all users in the tenancy.

Screenshot 2020-11-29 002255

The generic SharePoint Online commands did not do the job because “The user account does not exists in the AD” hence the identity validation fails at the first place. The OneDrive admin UI will do the job for a single OneDrive account but doesn’t help much in bulk operation scenarios like the one I dealt with.

Workaround: To remove this I used SharePoint PnP PowerShell command which was the only way around it.

Add yourself first in to one of the site collections (OneDrive accounts) before running the command so that you can verify the status ‘before’ and the result ‘after’.

For a single site collection (OneDrive Personal site in this case), run PowerShell as admin and execute these lines after customizing with your tenant, URL and user details. For this case, we will be using ‘Span ID’ to point to the abandoned account which usually goes as follows i:0#.f|membership|service.svc@tenant.onmicrosoft.com

#Config Variables - Customize this to match yours 
$SiteURL = "https://mantoso-my.sharepoint.com/personal/manoj_karunarathne_mantoso_com"
$UserID="i:0#.f|membership|account@tenant.onmicrosoft.com"
 
#Connect to PnP Online Service MFA
Connect-PnPOnline -Url $SiteURL -UseWebLogin
 
#sharepoint online powershell delete user from site collection
Remove-PnPUser -Identity $UserID -Force

If your result is similar to below, the command has done its job ! now go check that permission box and you should not see that account anymore.

Screenshot 2020-11-29 001807

Error when accessing Exchange Online classic Admin Center (EAC): 403 Access denied :(

We have been pulling our hair out for several days due to this issue. Office 365 Exchange admin center gives the following error whereas the new admin center worked well.

when you click that “Exchange” blade from the Office 365 admin center, it usually takes you to the classic Admin center which we still need for some functions that new Admin center doesn’t have.

image 

clip_image001

After lots of struggle, we managed to figure out the Root cause and reported to Microsoft through an incident.

Root cause: Group based access assignments in Privileged Identity Management.

image

Workaround: We had assigned Azure AD Roles such as Global Administrator, Exchange Administrator via Group based PIM which did not work properly with classic EAC. Assigning Direct permissions fixed this and we managed to open the classic console immediately, right after the direct assignment. If you are facing the same, try to get rid of “Group Assignments” for Exchange Admins at least for the time being and go for “Direct Assignments

Official reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept 

KnownIssue

I will update this post up-on Microsoft’ support responses.

Renew Apple MDM Push Certificate in Microsoft Endpoint Manager (Intune)

Apple MDM Push certificate is the key element for Microsoft EndPoint Manager to manage iOS/iPadOS and macOS devices in the MEM portal. After you add the certificate to EndPoint Manager, your users can enroll their devices using: The Company Portal app or Apple’s bulk enrollment methods such as the Device Enrollment Program (a.k.a DEP), Apple School Manager, or Apple Configurator.

digital

This renewal is crucial:  Ensure that you take necessary actions before the expiry date as revoking or allowing this certificate to expire will require existing devices to be re-enrolled with a new push certificate.

Prerequisites for renewal:

  1. Apple Identity portal account (mostly different from the Apple ID) which was used to setup the integration for your organization. – https://identity.apple.com/pushcert/
  2. MFA code (sends to the device registered for MFA under above account)

  3. Appropriate access to MEM (Microsoft Endpoint Manager a.k.a Intune portal) – https://endpoint.microsoft.com/ 

First we need to sign-in to MEM portal using your admin credentials copy paste this link and sign in https://endpoint.microsoft.com/ 

Navigate to Devices blade from the left panel and go to Apple iOS/iPadOS enrolment section as shown below and then click on ‘apple MDM Push Certificate’ widget

0

From the screen popped up, simply click on download CSR file on the 2nd option. Save it to a secure/temporarily location as we will delete this after the renewal.

5

Let’s now switch in to Apple Identity portal. This is where you need the original credentials which was used to setup the integration with Intune. Login from that account to this site – https://identity.apple.com/pushcert/

1

You can avoid MFA using other options but this may not be the same in your case. Hence make sure you have the device associated to the account to receive the MFA code. Hit ‘Continue“’ to enter the code or go to ‘other options’ to avoid it.

2

Highly recommended to associate a mobile device for MFA if you haven’t already, or, chose ‘don’t upgrade’ option to avoid it.

3

Once logged in, you will see all your certificates listed with the expiry date stated.

4

That little ‘i” button will show you more details of each certificate if you have multiple (mostly used for different tenancies under a single account). Serial Number is the key to identity which is which from the Intune portal. Ensure that you are renewing the correct certificate by cross-checking the Serial No here againts Intune. Once confirmed, simply click on that ‘Renew” button above and you should see a new dialog box prompting.

6

Add a note to indicate who renew it which might be useful in a organization this will be done by another person next year.

And now choose the CSR file you downloaded from Intune and hit ‘Upload’

7

That’s it and you can see the green tick indicates everything went well. Simply download the certificate and store in the same secure location you store CSR previously.

8

You should see the new expiry date for this certificate now.

9

Let’s head back to MEM (Intune) portal now and upload the new certificate file there. You should also provide the original Apple ID which was used to create the MDM push cert. Once done, hit ‘Upload’ button.

10

That’s about it and now you will see a green status prompts indicates it went well.

11

Certificate should now be valid for another year !

12

‘Connect-MsolService’ is not recognized as the name of a cmdlet

If you are facing this issue, you are not alone. In my case, I had run the install-Msolservice command before and it completed with no errors but nothing seemed to be installed, therefore it didn’t connect or recognize the modules in the machine. Here are the steps to get it fixed.

Open PowerShell as Admin –> Run the following commands in sequence (ensure your machine is connected to internet)

Firstly, uninstall the Azure-AD module

uninstall-module AzureAD

The re-install it

Install-module AzureAD
Install-module AzureADPreview

Try to run this. It will complete without any errors if you have the module existed but somehow corrupted (It could fail too but just run it anyways to verify)

Uninstall-module MSOnline

Now re-install the MSOnline Module

Install-module MSOnline

And now you can connect to O365. It should prompt you for credentials to login

Connect-MsolService

Once completed, the following command can be used to verify the installation.

Get-Module -ListAvailable -Name MSOnline*

MSolservice

Permanently deleting an Office 365 Group object in retention enabled environment

There is a stage where an Office 365 group can reach its end. As O365 group acts a major role for may Office 365/Azure related workloads, there could be plenty of situations you come across that you have to get rid of some of your Office 365 Groups.

For instance, a situation where you have removed your Team and Its associated SharePoint site but Group object could be still hanging in the recycle bin until it reaches the retention period based on the retention policy you have set. Or, perhaps, you have decided to delete a SharePoint site or Microsoft Team, you will find you cannot create another team or site in its place. You will receive an error saying this group already exists.  This is because the group was deleted as a ‘soft delete’. Meaning it’s sitting in a recycle bin for a number of days until it’s permanently deleted (retention plays again). Just follow these steps and you will immediately get rid of that unnecessary group object.

First and foremost, ensure that you have Azure AD PowerShell module is installed in your PC.

Run the following commands in sequence.

This first line will connect you to your Office 365 Tenant’s Azure AD. you will be prompted for the credentials to log in.

Connect-AzureAD

image

image

Now let’s run this one to get the group GUID from the deleted list

Get-AzureADMSDeletedGroup

image

Copy that GUID of the desired group and run the following by targeting that ID.

Remove-AzureADMSDeletedDirectoryObject -Id <ReplaceWithGroupID>

It should result as follows if it was success

clip_image001

To ensure the deletion is successful, run the same command again and see if it doesn’t return the group name you deleted. It shouldn’t !

Get-AzureADMSDeletedGroup

Retrieve and export Office 365 Group Members (Part02)

This is the 2nd part of the article series “Retrieve and export Office 365 Group Members”. We are covering up the second part in this post.

9

  1. Retrieve and export members of an specific Office 365 group (Part01)
  2. Retrieve and export members of all Office 365 groups (Part 02)

The best tool to run these kind of scripts is the PowerShell ISE. Copy the following code and paste it in to PowerShell ISE and make sure that you have run it as the Admin.

14

### All users of all groups 

$CSVPath = "C:\Exports\AllGroupMembersList.csv"
 
### Get Credentials
$Credential = Get-Credential
   
### Create Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
   
### Import Session
Import-PSSession $Session -DisableNameChecking

### Remove the CSV file if already exists
If(Test-Path $CSVPath) { Remove-Item $CSVPath}

### Retreive all Office 365 Groups
$O365Groups=Get-UnifiedGroup
ForEach ($Group in $O365Groups) 
{ 
    Write-Host "Group Name:" $Group.DisplayName -ForegroundColor Green
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select DisplayName,PrimarySmtpAddress
 
    ### Get Group Members and export to CSV
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select-Object @{Name="Group Name";Expression={$Group.DisplayName}},`
         @{Name="User Name";Expression={$_.DisplayName}}, PrimarySmtpAddress | Export-CSV $CSVPath -NoTypeInformation -Append
}
  
#Remove the session 
Remove-PSSession $Session

A closer look would be like this once you paste it. Ensure to replace the <CSVPath> parameter value before you run it.

1111

Just hit the play button to run the whole thing or you can highlight a specific line to run that only.

222

If all went well, you would not get any prompts or errors except the credentials insertion prompt.

And the group members list with the respective group name will be listed right on the PowerShell result pane just like below.

3333

4444

And if you go back to your export folder, the CSV will also sit there just for you to open and see.

5555

6666

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

Stay ahead on Hybrid Identities–Microsoft’s Azure AD Connect v1.3.20.0 has a lot to offer

Microsoft has released the latest version of Azure AD Connect last week which was long impending !

installadconnect02

Azure AD Connect is the bridge that is used to synchronize identities (objects and their attributes) across on-premise and cloud environments by many organizations.  However, every feature that is bundled in this release doesn’t target every audience. You can choose the ones that are most applicable to your organization’s environment.

Download the latest version of AADConnect

Fixes this version carries:

  1. Fix the SQL reconnect logic for ADSync service
  2. Fix to allow clean Install using an empty SQL AOA DB
  3. Fix PS Permissions script to refine GWB permissions
  4. Fix VSS Errors with LocalDB
  5. Fix misleading error message when object type is not in scope
  6. Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  7. Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  8. Fixed some memory leaks
  9. Miscellaneous Auto upgrade fixes
  10. Miscellaneous fixes to Export and Unconfirmed Import Processing
  11. Fixed a bug with handling a backslash in Domain and OU filtering
  12. Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

New features and advancements (19 new stuff in one go !)

  1. Add support for Domain Refresh
  2. Exchange Mail Public Folders feature goes GA
  3. Improve wizard error handling for service failures
  4. Added warning link for old UI on connector properties page.
  5. The Unified Groups Writeback feature is now GA
  6. Improved SSPR error message when the DC is missing an LDAP control
  7. Added diagnostics for DCOM registry errors during install
  8. Improved tracing of PHS RPC errors
  9. Allow EA creds from a child domain
  10. Allow database name to be entered during install (default name ADSync)
  11. Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  12. Modify Group Sync Rules to flow samAccountName, DomainNetbios and domainFQDN to cloud – needed for claims
  13. Modified Default Sync Rule Handling – read more here.
  14. Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
    Updated the End User License Agreement (EULA)
  15. Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  16. Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  17. Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  18. Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  19. Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

If you plan to upgrade, the following resources should be your first reads.

Office 365 Multi-Geo Part03 (Configuring)

This is the part 03 of this article series where we will be going through the technical part of enabling Multi-Geo in Office 365.

Support_Wrench_Cog_Tools_Repair_Fix_Gear-512

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Let’s ensure that we have the following in place before get started.

  1. Office 365 Multi-geo capability is added to the tenant. As the introductory article stated, this capability is a user-level service plan that is optional for you to add. If you have worked closely with your account team this might be all set to go by now.
  2. Test users created and are ready to use.

If you have enabled the Multi-geo, a new tab call “Geo Location Tab” should now appear under the settings in SharePoint and OneDrive admin panels.

To add new geo locations, open the SharePoint admin center –>
Navigate to the Geo locations tab. Click Add location –> Select the location that you want to add, and then click Next –>
Type the domain that you want to use with the geo location, and then click Add –> click Close.

Every new location that you add here are called “satellite locations

3

If everything went well, you will receive an email notification in few hours after provisioning. It could take up to 72 hours which is up to the size of your tenant.

As the new geo location appears in blue on the map on the Geo locations tab in the OneDrive admin center, you can proceed to set users’ preferred data location to that geo location. Usually a new satellite location comes with the default settings, it gives you the freedom of localizing as per your compliance needs.

After you enabling the satellite locations, it is recommended to set the preferred Data Location (PDL) for every user in the directory. In Azure AD there are two types of identities as Cloud and Synchronized. You have to follow the right instructions to deal with each of them when it comes to setting PDL.

Setting PDL for cloud only users (Azure Users)

User objects that are not synchronized from a local AD are the cloud ones. You have to use Microsoft Azure AD PowerShell to set this configuration for such users. This procedure needs Azure AD Module for Windows PowerShell

  1. Launch Microsoft Azure Active Directory Module for Windows PowerShell

Run the following line and enter the Admin Credentials for your Office 365 tenant.

Connect-MsolService

2. Now let’s run the next line to set the PDL for a specific user.

Set-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com -PreferredDatalocation AUS

3. To find out if this has executed properly, you can use the following command. It should return the new PDL value.

(Get-MsolUser -userprincipalName manoj@mantoso.onmicrosoft.com).PreferredDatalocation

Notes: During the new user creation process, its recommended that you include setting PDL command at the end of the workflow, so that you do not have to do it as a separate task.

User with no OneDrive provisioned yet, better be wait for at least 24 hours in order to allow the change to propagate in the backend. This ensures that  OneDrive sites are provisioned in the correct PDL for such users.

Setting PDL for Synchronized users (Hybrid Users)

Setting the preferred data location for Hybrid users is a bit lengthy process and is well explained in this post.

Search Experience in a Multi-Geo Setup

Every geo location acts as a Search Index (you must be familiar with this term if you are a SharePoint guy) in a Multi-Geo setup. When there is a search query, the results are usually returned as a merged result out of all indexes, which means all these satellite locations we added are works together behind the scenes towards one goal.

9

Following search clients are supported in Multi-Geo

  • OneDrive for Business
  • Delve
  • The SharePoint home page
  • The Search Center
  • Custom search applications that use the SharePoint Search API

Consult this detailed article to understand and configure the search experience in a Multi-Geo setup.

End user experience validation

Validation is utmost important before you roll out the change widely across the organization. Following are some key scenarios for you to try out using test users before make it to everyone.

OneDrive Portal

Click on to OneDrive from the Office 365 App Launcher. You should be directed to the defined geo location automatically, and it will now begin to provision the service in that PDL. After provisioning, try to upload and download some files and ensure everything works as expected.

OneDrive App

Use a mobile device to login to the OneDrive App using the test account that you used to upload the files and verify if the files are available in the mobile and you have to the control to perform actions on those files.

OneDrive Client

Use a laptop or a desktop to verify if the OneDrive Sync client works are expected. You can download the latest client by heading on to the OneDrive Library and click “Sync”. this will prompt you to download the client automatically if it doesn’t exists in the particular device.

Office Integration

Open up Word or Excel and check if your OneDrive location appears there. Try to save a file to OneDrive from there and ensure they are synchronized across your devices.

Sharing Experience

Despite any of these changes we did, you should be able to share a OneDrive file seamlessly (based on your compliance settings). To verify, try to share a file from OneDrive and confirm that the people picker allows you to add any user within the organization regardless of their location.

Office 365 Multi-Geo Part02 (Planning and recommendations)

Multi Geo capability is a little complex topic to wrap up in a single article as Office 365 is a diverse platform with multiple set of business tool offerings. Eventually, Multi-geo configuration can affect to most of these workloads at highest level. That’s where the whole article was split in to 4 stages in order to give you a better and comfortable reading experience with necessary breaks.

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Part 4: Managing and Maintaining

I have gone through the introductory and concept briefing in the part 01 of this article series. Now let’s continue with this 2nd stage which describes planning and recommendations for Office 365 Multi-geo.

Test run – Highly Critical

4

Try out with a test user/s first. Consider having some test users for each use case as shown below and try out the changes with these users before you roll out in production.

  • Have an existing test user who has an active Office365 account with Exchange, SharePoint, OneDrive being used (with available content)
  • Try to add the capability for this user only
  • Move the user to new PDL
  • Move OneDrive content accordingly
  • Test the functionality for Exchange, OneDrive and SharePoint


Initial rollout (pilot run, targeted run) – Critical

5

After you have tested with the above single user, use a small group of people (5 would be ideal) as the pilot run. In most cases this group would be from IT staff as they are well aware of the approach and changes, technically.

every user should have the preferred data location (PDL) defined so that when the new workloads are created (such as those who do not use OneDrive right now perhaps later) they’ll be provisioned in the new PDL. Office365 will use central Location for those users with no PDL defined. The recommendation is, better to set PDL for all users.

Prepare a list of users with their User Principle Name (UPN) and include your Test users, pilot users and other groups batches in order. This will help you in the configuration stage and will make the procedures easily and well tracked.

Considerations for Hybrid Scenarios

Azure AD Connect supports Multi Geo by allowing synchronization of the PreferredDataLocation attribute for user objects from AADC version 1.1.524.0 onwards. However, this may vary for each organization  and if you are fully cloud with no on-premise dependency, please ignore.

The schema of the object type User in the Azure AD Connector is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.
The schema of the object type Person in the metaverse is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.

PreferredDataLocation attribute is not synchronized by default. This functionality is currently intended for larger organization (Its eventually the size than the scenario at the moment). You have to plan for an Local AD (on –premise) attribute which will hold the “Office 365 Geo Location” for your hybrid users as there is no PreferredDataLocation attribute by default in on-premise Active Directory. Further, PreferredDataLocation attribute can be managed by PowerShell for Azure Cloud User Objects but not for Synchronized Objects. For synchronized objects (Hybrid), you must make use of AD Connect application.

Before you start on technical configurations, I would highly recommend you to digest these articles and beware of the outcomes:

stay tuned for the part 03 (technical steps)

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.