Remove orphaned delegation permissions of a deleted user in Exchange Online mailbox

You might think that a user’s delegate permissions for other mailboxes will be removed up on deleting the account in the Azure Active Directory, apparently it wasn’t in my case.

access20delegation-01_thumb

Scenario:

Location – Calendar folder of ‘manoj@mantoso.live:\Calendar’

Delegated editor permissions to – ‘Marie Jonas’ (Abandoned identity after AD account deletion)

Even though this particular account was permanently deleted from Azure AD after 30 days of marking deletion, the delegation access (editor) to other users’ Exchange mailboxes remained intact which caused the following strange behaviors that I had to get rid of.

  • Others can still spot this user’s name in the calendar invites
  • Possibly in other various occasions too based on the permissions the user had before deleted

Here’s the PowerShell command to fetch the permissions of a specific location. This will list down all the delegated permissions of ‘Manoj’s’ Exchange calendar. In my case, the abandoned user also popped up in the results.

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" 

e.g0.1

Now, to dig further down to be more specific to this mysterious user, let’s run this command

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" | where {$_.user.tostring() -like "Marie Jonas*"}

e.g0

This means the permission thumbprint is intact even after the account was permanently deleted which is a mystery. Now to get rid of this, we can use this command below. I tried several other approaches from various Microsoft articles and forum posts but none of them worked but the following.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

After running that with no errors/warnings. I ran Get command again to verify if it really was a success. And Yes ! Nothing returned, which means the permissions are now cleared for this abandoned identity of ‘Marie Jonas’.

2

Allowed it a couple of hours, her name disappeared from the calendar invites as well.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

Error when accessing Exchange Online classic Admin Center (EAC): 403 Access denied :(

We have been pulling our hair out for several days due to this issue. Office 365 Exchange admin center gives the following error whereas the new admin center worked well.

when you click that “Exchange” blade from the Office 365 admin center, it usually takes you to the classic Admin center which we still need for some functions that new Admin center doesn’t have.

image 

clip_image001

After lots of struggle, we managed to figure out the Root cause and reported to Microsoft through an incident.

Root cause: Group based access assignments in Privileged Identity Management.

image

Workaround: We had assigned Azure AD Roles such as Global Administrator, Exchange Administrator via Group based PIM which did not work properly with classic EAC. Assigning Direct permissions fixed this and we managed to open the classic console immediately, right after the direct assignment. If you are facing the same, try to get rid of “Group Assignments” for Exchange Admins at least for the time being and go for “Direct Assignments

Official reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept 

KnownIssue

I will update this post up-on Microsoft’ support responses.

‘Connect-MsolService’ is not recognized as the name of a cmdlet

If you are facing this issue, you are not alone. In my case, I had run the install-Msolservice command before and it completed with no errors but nothing seemed to be installed, therefore it didn’t connect or recognize the modules in the machine. Here are the steps to get it fixed.

Open PowerShell as Admin –> Run the following commands in sequence (ensure your machine is connected to internet)

Firstly, uninstall the Azure-AD module

uninstall-module AzureAD

The re-install it

Install-module AzureAD
Install-module AzureADPreview

Try to run this. It will complete without any errors if you have the module existed but somehow corrupted (It could fail too but just run it anyways to verify)

Uninstall-module MSOnline

Now re-install the MSOnline Module

Install-module MSOnline

And now you can connect to O365. It should prompt you for credentials to login

Connect-MsolService

Once completed, the following command can be used to verify the installation.

Get-Module -ListAvailable -Name MSOnline*

MSolservice

Permanently deleting an Office 365 Group object in retention enabled environment

There is a stage where an Office 365 group can reach its end. As O365 group acts a major role for may Office 365/Azure related workloads, there could be plenty of situations you come across that you have to get rid of some of your Office 365 Groups.

For instance, a situation where you have removed your Team and Its associated SharePoint site but Group object could be still hanging in the recycle bin until it reaches the retention period based on the retention policy you have set. Or, perhaps, you have decided to delete a SharePoint site or Microsoft Team, you will find you cannot create another team or site in its place. You will receive an error saying this group already exists.  This is because the group was deleted as a ‘soft delete’. Meaning it’s sitting in a recycle bin for a number of days until it’s permanently deleted (retention plays again). Just follow these steps and you will immediately get rid of that unnecessary group object.

First and foremost, ensure that you have Azure AD PowerShell module is installed in your PC.

Run the following commands in sequence.

This first line will connect you to your Office 365 Tenant’s Azure AD. you will be prompted for the credentials to log in.

Connect-AzureAD

image

image

Now let’s run this one to get the group GUID from the deleted list

Get-AzureADMSDeletedGroup

image

Copy that GUID of the desired group and run the following by targeting that ID.

Remove-AzureADMSDeletedDirectoryObject -Id <ReplaceWithGroupID>

It should result as follows if it was success

clip_image001

To ensure the deletion is successful, run the same command again and see if it doesn’t return the group name you deleted. It shouldn’t !

Get-AzureADMSDeletedGroup

Fixed: Android QR Code enrollment with corporate-owned-fully managed user devices (Preview) mode of Intune erases default apps after enrolling.

Microsoft Intune allows you to manage all your devices in a single platform. Windows, Android, MacOS or iOS can be managed using Intune device management capabilities.

Intune

When it comes to Android specifically, there are several ways you can enroll and manage a device.

Android Enterprise (offering a set of enrollment options that provide users with the most up-to-date and secure features):

Android Enterprise work profile: For personal (used mostly in BYOD scenarios) devices granted permission to access corporate data. Admins can manage work accounts, apps, and data. Personal data on the device is kept separate from work data and admins don’t control personal settings or data.

Android Enterprise dedicated: For corporate-owned, single use devices, such as digital signage, ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web links. It also prevents users from adding other apps or taking other actions on the device.

Android Enterprise fully managed user devices: (In Preview Mode) For corporate-owned, single user devices used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to work profiles.

If you decide to go ahead with the 3rd option, there are a few things to consider.

  • Supervised mode supported only for latest devices
  • At least Android 6.0
  • Enrollment is done manually via a QR code
  • Device has to be fully erased before the enrollment begin

Take the following steps to ensure your device retain all the default and system apps (google apps, camera, calculator, calendar, photos etc..). In my case, the original QR given by Intune simply took off all default and system apps after enrolling. This workaround is to address this issue.

To get the QR code from your Intune profile which is relevant for your enrollment, head on to Intune –> device enrollment blade –> Android Enrollment –> Choose “Corporate owned-fully managed user device” option –> Make sure this option is enabled and you can see the QR right there.

QR Code section

And now head on to one of the QR code decoding service. I used https://blog.qr4.nl/Online-QR-Code-Decoder.aspx which did the job very well without any cost for me. Its just a matter of uploading your QR and click a button to simply extract the code behind.

Now you have the code behind with you. we have to edit this and include the following portion in the code.

“android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED”:true

Once it added, your final code would look similar to this:Code_Final

Now, we need another service to re-encode this new code we have. I used https://www.qr-code-generator.com which was great for me. Again there is no cost for this, too!

Once you have encoded, you can download the QR. And now simply use this one to enroll the Android device.

Android3

If you followed the steps correctly, all default and system apps should remain intact after the enrollment.

Android2      Android1

Retrieve and export Office 365 Group Members (Part02)

This is the 2nd part of the article series “Retrieve and export Office 365 Group Members”. We are covering up the second part in this post.

9

  1. Retrieve and export members of an specific Office 365 group (Part01)
  2. Retrieve and export members of all Office 365 groups (Part 02)

The best tool to run these kind of scripts is the PowerShell ISE. Copy the following code and paste it in to PowerShell ISE and make sure that you have run it as the Admin.

14

### All users of all groups 

$CSVPath = "C:\Exports\AllGroupMembersList.csv"
 
### Get Credentials
$Credential = Get-Credential
   
### Create Session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
   
### Import Session
Import-PSSession $Session -DisableNameChecking

### Remove the CSV file if already exists
If(Test-Path $CSVPath) { Remove-Item $CSVPath}

### Retreive all Office 365 Groups
$O365Groups=Get-UnifiedGroup
ForEach ($Group in $O365Groups) 
{ 
    Write-Host "Group Name:" $Group.DisplayName -ForegroundColor Green
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select DisplayName,PrimarySmtpAddress
 
    ### Get Group Members and export to CSV
    Get-UnifiedGroupLinks -Identity $Group.Id -LinkType Members | Select-Object @{Name="Group Name";Expression={$Group.DisplayName}},`
         @{Name="User Name";Expression={$_.DisplayName}}, PrimarySmtpAddress | Export-CSV $CSVPath -NoTypeInformation -Append
}
  
#Remove the session 
Remove-PSSession $Session

A closer look would be like this once you paste it. Ensure to replace the <CSVPath> parameter value before you run it.

1111

Just hit the play button to run the whole thing or you can highlight a specific line to run that only.

222

If all went well, you would not get any prompts or errors except the credentials insertion prompt.

And the group members list with the respective group name will be listed right on the PowerShell result pane just like below.

3333

4444

And if you go back to your export folder, the CSV will also sit there just for you to open and see.

5555

6666

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

Stay ahead on Hybrid Identities–Microsoft’s Azure AD Connect v1.3.20.0 has a lot to offer

Microsoft has released the latest version of Azure AD Connect last week which was long impending !

installadconnect02

Azure AD Connect is the bridge that is used to synchronize identities (objects and their attributes) across on-premise and cloud environments by many organizations.  However, every feature that is bundled in this release doesn’t target every audience. You can choose the ones that are most applicable to your organization’s environment.

Download the latest version of AADConnect

Fixes this version carries:

  1. Fix the SQL reconnect logic for ADSync service
  2. Fix to allow clean Install using an empty SQL AOA DB
  3. Fix PS Permissions script to refine GWB permissions
  4. Fix VSS Errors with LocalDB
  5. Fix misleading error message when object type is not in scope
  6. Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  7. Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  8. Fixed some memory leaks
  9. Miscellaneous Auto upgrade fixes
  10. Miscellaneous fixes to Export and Unconfirmed Import Processing
  11. Fixed a bug with handling a backslash in Domain and OU filtering
  12. Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

New features and advancements (19 new stuff in one go !)

  1. Add support for Domain Refresh
  2. Exchange Mail Public Folders feature goes GA
  3. Improve wizard error handling for service failures
  4. Added warning link for old UI on connector properties page.
  5. The Unified Groups Writeback feature is now GA
  6. Improved SSPR error message when the DC is missing an LDAP control
  7. Added diagnostics for DCOM registry errors during install
  8. Improved tracing of PHS RPC errors
  9. Allow EA creds from a child domain
  10. Allow database name to be entered during install (default name ADSync)
  11. Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  12. Modify Group Sync Rules to flow samAccountName, DomainNetbios and domainFQDN to cloud – needed for claims
  13. Modified Default Sync Rule Handling – read more here.
  14. Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
    Updated the End User License Agreement (EULA)
  15. Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  16. Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  17. Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  18. Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  19. Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

If you plan to upgrade, the following resources should be your first reads.

Office 365 Multi-Geo Part02 (Planning and recommendations)

Multi Geo capability is a little complex topic to wrap up in a single article as Office 365 is a diverse platform with multiple set of business tool offerings. Eventually, Multi-geo configuration can affect to most of these workloads at highest level. That’s where the whole article was split in to 4 stages in order to give you a better and comfortable reading experience with necessary breaks.

Part 1: Get Started

Part 2: Planning and recommendation

Part 3: Configuration

Part 4: Managing and Maintaining

I have gone through the introductory and concept briefing in the part 01 of this article series. Now let’s continue with this 2nd stage which describes planning and recommendations for Office 365 Multi-geo.

Test run – Highly Critical

4

Try out with a test user/s first. Consider having some test users for each use case as shown below and try out the changes with these users before you roll out in production.

  • Have an existing test user who has an active Office365 account with Exchange, SharePoint, OneDrive being used (with available content)
  • Try to add the capability for this user only
  • Move the user to new PDL
  • Move OneDrive content accordingly
  • Test the functionality for Exchange, OneDrive and SharePoint


Initial rollout (pilot run, targeted run) – Critical

5

After you have tested with the above single user, use a small group of people (5 would be ideal) as the pilot run. In most cases this group would be from IT staff as they are well aware of the approach and changes, technically.

every user should have the preferred data location (PDL) defined so that when the new workloads are created (such as those who do not use OneDrive right now perhaps later) they’ll be provisioned in the new PDL. Office365 will use central Location for those users with no PDL defined. The recommendation is, better to set PDL for all users.

Prepare a list of users with their User Principle Name (UPN) and include your Test users, pilot users and other groups batches in order. This will help you in the configuration stage and will make the procedures easily and well tracked.

Considerations for Hybrid Scenarios

Azure AD Connect supports Multi Geo by allowing synchronization of the PreferredDataLocation attribute for user objects from AADC version 1.1.524.0 onwards. However, this may vary for each organization  and if you are fully cloud with no on-premise dependency, please ignore.

The schema of the object type User in the Azure AD Connector is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.
The schema of the object type Person in the metaverse is extended to include the PreferredDataLocation attribute. The attribute is of the type, single-valued string.

PreferredDataLocation attribute is not synchronized by default. This functionality is currently intended for larger organization (Its eventually the size than the scenario at the moment). You have to plan for an Local AD (on –premise) attribute which will hold the “Office 365 Geo Location” for your hybrid users as there is no PreferredDataLocation attribute by default in on-premise Active Directory. Further, PreferredDataLocation attribute can be managed by PowerShell for Azure Cloud User Objects but not for Synchronized Objects. For synchronized objects (Hybrid), you must make use of AD Connect application.

Before you start on technical configurations, I would highly recommend you to digest these articles and beware of the outcomes:

stay tuned for the part 03 (technical steps)

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor. Please do not copy/duplicate the content of the post unless you are authorized by me to do so.

I’ll be speaking at aOS Conference Kuala Lampur

Manoj V Karunarathne-01[25650]

DATE:

TIME:

VENUE:

FEE:

23RD OCTOBER 2018

TUESDAY

09.00AM TO 5.30PM

Registration starts at 8.30am

EVENT FLOOR

MICROSOFT MALAYSIA,

18TH FLOOR, MENARA SHELL.

(Microsoft New Office)

FREE ENTRANCE

**Register NOW! Seats are on first come first serve basis**

REGISTER HERE!!!

Who Is This For?

The content is suited to business people, managers, CIOs, executives, and end users.

There is also content for Technical roles (IT Pros, Developers and Hands on Power Users) to learn the how and why of many Office 365 (and SharePoint) apps.

If you are someone who sees the digital workplace as a way to improve the way you work, increase your team’s productivity and deliver better results – come and learn how.

· Business Decision Makers – what it can do?

· IT Pro – how to migrate or manage?

· Developers – how to build or configure it?

TIME

BUSINESS DECISION

IT PRO

DEVELOPERS

08.30 AM – 09.00 AM

Registration

09.00 AM – 09.45 AM

Opening & Key Note

10.00 AM – 10.45 AM

Transforming Your Organization into a Digital Workplace

A Deep Dive into Microsoft 365 Security

A Deep Dive into Microsoft 365 Security

11.00 AM – 11.45 AM

Delivering tangible business value with Office 365

Single Sign on and Multi Factor Authentication with Azure AD

Lean, Scrum and Low code approach of SharePoint and O365 projects

12.00 PM – 12.45 PM

Accelerate success and time-to-value for Microsoft 365 with best practices from the field

Data Leakage Prevention and Rights Management in Office365

Bot Framework with Microsoft Team

01.00 PM – 01.45 PM

Lunch

02.00 PM – 02.45 PM

The 4th Dimensional Meeting

Migrating to SharePoint Online – Real-life Experiences

Accelerating development and business with Azure Containers

03.00 PM – 03.45 PM

Bots – Changing the way we engage with technology

How your SharePoint deployment can benefit from Azure capabilities

Microsoft Graph: Get the power of Excel functions into your Web Applications

04.00 PM – 04.45 PM

All about documents in O365 and SharePoint

IOT for Beginners and IT Pros

Using Graph API to read Outlook mail for Accounting

05.00 PM – 05.30 PM

Wrap Up & Panel Discussion

Share & exchange, Worldwide

In conjunction with our inaugural ASEAN tour, aOS is bringing its global experts to mingle with Malaysia’s Azure and Office 365 user’s community to exchange ideas on how to maximize your usage and ROI from Microsoft’s cloud technologies.

CONNECT: Meet like-minded people, make new connections, build your support network. See a whole range of products and demonstrations ALL in the one place!

LEARN: Whether it be training, up-skilling or starting from scratch, the opportunities to learn from the BEST in the field are here.

EXPERIENCE: New innovation and inspiring speakers. Walk away with ideas and momentum. We bring you LOTS of what is NEW in Microsoft Office 365 and Azure.

Technologies Content – Microsoft Teams (and Groups), PowerApps, Flow, Power BI, OneDrive, Microsoft Forms, Skype for Business, Azure, Yammer, OneNote, Office 365, many 3rd party tools and our awesome line up of SharePoint content.

Business and Productivity Content – Digital Workspace, Security, Governance, Information Architecture, Collaboration, Data Migration, User Adoption, Agile Development, Mobile and Paperless Workforce.

With 18 SESSIONS (MVPs and domain experts) coming from 14 INTERNATIONAL SPEAKERS, 7 COUNTRIES this event is THE Office 365 event for this year. With limited spaces available, it is on a first come, first serve basis. Be there or be square!…. (read more here!)

Azure AD App Only Authentication

In a simple way, App Only authentication is the ideal method if you want to execute  a task by daemon. This allows you to execute some code without the permissions of a user or without an auth token of a user.

As part of a series of articles, idea of this 1st post is to give you an basic  fundamental understanding on creating an Azure AD App and grant permissions for this App to communicate with SPO.

let’s get this started. Simply head on to your Office365 home page and switch to Admin Centers. From the left pane, click on “Azure Active Directory”. From Azure AD, search for “App Registrations” and click “Add new application registration” link.

A new application interface will pop-up for you. Enter a name, Application type and Sign-on URL and click “Create”. Sign-in URL can be any and it also can be amended later to reflect a different one. A future post will discuss this again on what sort of URLs are used here.

image 

Once the app creation done, you will be given with the app ID and other details related to it.

image

Next- Select Settings –> Required permissions and Add

clip_image001

clip_image002

In this case the API going to be SPO. You can choose the right API based on the requirement.

image

Next, hit “Grant Permission” button on the required permissions tab to provide none-tenant admin user access the application.

A self-signed or public (commercial) certificate must be provided now and then update the Azure AD manifest accordingly.

Following PS can be used to provision the certificate but ensure you have installed OfficeDev PnP PowerShell.

$certroot = 'C:\Site Creator'
$certname = "IntelAi-Cert-1"
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
$startdate = Get-Date
$enddate = $startdate.AddYears(4)
makecert.exe -r -pe -n "CN=$certname" -b ($startdate.ToString("MM/dd/yyyy")) -e ($enddate.ToString("MM/dd/yyyy")) -ss my -len 2048
$cert = Get-ChildItem Cert:\CurrentUser\My | ? {$_.Subject -eq "CN=$certname"}
Export-Certificate -Type CERT -FilePath "$certroot\$certname.cer" -Cert $cert -Force
Export-PfxCertificate -FilePath "$certroot\$certname.pfx" -Cert $cert -Password $password -Force

Following line will copy a string to your clipboard

Get-PnPAzureADManifestKeyCredentials -CertPath 'C:\Site Creator\IntelAi-Cert-1.cer' | clip

Following is how the copied string would look like. It has to be added to the manifest file of the Azure AD application.

"keyCredentials": [
 {
  "customKeyIdentifier": "5lca+kziogw7T6MB4kUrxseK5m8=",
  "keyId": "84153f1a-90b7-4802-b99a-bb75d4f9a35b",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIDAjCCAe6gAwIBAgIQkawCJU0cWYxH8RamKNuqqTAJBgUrDgMCHQUAMBkx
 }
],

Select your application under app registrations in Azure AD. Replace the “KeyCredentials”:[], section, as shown below.

image

Now this can be tested whether the application has required permissions to connect to the SharePoint Online site. For the ClientID, you need to provide application ID of the app you have created.

$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
Connect-PnPOnline -Url https://site.sharepoint.com/ -ClientId 0c01f61e-ba27-4ae7-ab19-174884a949fc -CertificatePath 'C:\Site Creator\Site-Cert-1.pfx' -CertificatePassword $password -Tenant intelai.onmicrosoft.com
$myWeb = Get-PnPWeb
$myWeb.Title

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.