Month: October 2013

Removing O365 Accounts WITHOUT Having to Remove AD Accounts

Posted on Updated on

DirSync-Scoping  As many Office 365 Admins know, when you need to remove someone from Office 365 when using Directory Synchronization, in order to synchronize all your AD objects into the cloud, you have probably found that the ONLY way to remove the cloud user is to remove the AD user.  BUT many times this is not possible, as the AD user still has a role to fulfill or being used, for example, as a Service Account.  In this case “what DO you DO?”

Since the new Directory Synchronization provides “scoping” capabilities, which means ONLY certain domains/OU’s are to be synchronized while all other AD objects are not. This “scoping” feature is key to maintaining your Active Directory user objects while removing them for your Office 365 tenant.

In a nutshell, you would use the following article, which explains HOW to setup Directory Synchronization “scoping”, which will take an OU out of synchronization, which is where all your AD account who no longer need to be in Office 365 will be placed.  DirSync will no longer finds these accounts in your AD, due to not looking into that OU (i.e. Scoping) and issue a Delete request into Office 365 to remove these users.

Resources

  1. Overview of Directory Synchronization Filtering/Scoping:
    1. http://technet.microsoft.com/en-us/library/jj710171.aspx
    2. http://blogs.technet.com/b/educloud/archive/2012/08/10/user-soft-delete-and-dirsync-filtering-enabled.aspx
      1. Great additional article on Directory Synchronization Filtering and a discussion on the Soft-Delete feature, allowing you to recover users and their MBXs quickly and easily.

Note – Directory Synchronization scoping is a relatively new feature and one that can be used when needing to maintain AD users while removing them from Office 365.  Directory Synchronization is the only way to manage this scenario, as Directory Synchronization maintains management of these user objects, which requires that the user object (objects) must be managed via onsite Active Directory.  Be Careful when using Directory Synchronization Scoping, as the Directory Synchronization delete directive WILL cause these online user objects to be deleted.  If you have done Directory Synchronization scoping in error, you can easily use the “Soft-Delete” feature in Office 365 to get these accounts pulled from the “deleted items” hidden folder in Office 365 AD and bring them back into action.

DirSync, proxyAddresses & Domains – Removing Domain & Managing Email Address

Posted on

For Office 365 Admins who manage domains and UPNs/proxyAddresses, I wanted to write a posting explaining an interesting “use case scenario”.

Scenario

  1. You have created and verified a domain in your Office 365 Portal, such as the ole contoso.com domain
  2. Users in your Active Directory have been given that email address via the AD proxyAddresses attribute and synchronized into Office 365
  3. You remove the domain from your Online Portal because it is no longer needed, such as selling the company/domain
    1. Note – In order to remove a domain NO OBJECTS can be associated with this domain, either as UPN or Email address.  The fastest way to do this is to remove the Domain Intent settings for Lync & Exchange Online, which releases the check for attributes using this domain during the Domain Removal process.

Note – Unchecking these services from your domain will release the attribute checks used by this domain.  If you do not do this, then you must change your task and remove the email addresses from on-premises Active Directory (UPN and/or proxyAddresses {SMTP}, before you can remove this domain.  There is a way to remove SMTP addresses from Online using PowerShell BUT managing onsite Active Directory is the better approach for this scenario.

domain_intent

  • Question: You will notice that by removing the contoso.com domain that the online users maintain their @contoso.com domain and you may be asking yourself “WHY, I removed the domain”.
  • Answer: This is because Directory Synchronization manages the proxyAddresses value during Synchronization and will NOT see any changes to your on-premises Active Directory user’s proxyAddresses values, therefore no changes are pushed into the cloud.
  • Resolution: To remove the @contoso.com domain email address from online users, you must remove the @contoso.com proxyAddress (i.e. smtp:ChicagoAbe@contoso.com) from Active Directory, which instructs Directory Synchronization to remove it from your Office 365 user email address.

Note – Click Remove on the @contoso.com email address and in 3 hours Directory Synchronization will remove this from the online user.

proxy_domain_removal

 

 

NOTE – There are ramifications for doing this, as this email address is/was most likely used in Exchange Online.  If @contoso.com was used to send mail by other Exchange Online users, this address will be cached in Outlook and will automatically popup when attempting to send to ChicagoAbe@contoso.com.  Users must hit the Delete button to remove this entry from their Outlook cache and then “re-find” the user, which will now only use ChicagoAbe@Fabrikam.com.

Provide PowerShell 3.0 Add-On Connections for Office 365

Posted on

PowerShell_Logo_lg

The below is provided as-is and not supported in any way.  The below is a set of PowerShell commands, which are used to instruct the PowerShell0 ISE to load these commands each time the ISE is launched:

  1. Create a new folder in your Documents folder called WindowsPowerShel
  2. Open notepad and copy the below into the notepad file
    1. Once copied, save the file with a .ps1 extension

 

$psISE.CurrentPowerShellTab.AddOnsMenu.SubMenus.Add(“Connect to Exchange Online”,

{

if($msolCredentials -eq $null)

{

$msolCredentials = Get-Credential

}

$EXOL = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $msolCredentials -Authentication Basic -AllowRedirection

Import-PSSession $EXOL

},

“Control+Alt+Z”

)

$psISE.CurrentPowerShellTab.AddOnsMenu.SubMenus.Add(“Connect to Office 365”,

{

if($msolCredentials -eq $null)

{

$msolCredentials = Get-Credential

}

$getModuleResults = Get-Module

If (!$getModuleResults) {Import-Module MSOnline -ErrorAction SilentlyContinue}

Else {$getModuleResults | ForEach-Object {If (!($_.Name -eq “MSOnline”)){Import-Module MSOnline -ErrorAction SilentlyContinue}}}

Connect-MsolService -Credential $msolCredentials

},

“Control+Alt+X”

)

$msolCredentials = $null

Exchange Online & Postmaster Account / NDR Sender

Posted on

exchange_online_banner_sm

As Exchange Administrators work to understand all the nuances of Exchange Online, either the older Office 365 (2010) or the newer Office 365 (2013), they have probably asked “What about my Postmaster account, where is it, how do I configure or manage it?  There is no Postmaster account that I can find, so how does this work?”.

In reading through the following, written in 2012, EXO Admin’s get a default Postmaster account/setting used for your Exchange Online Tenant:  http://www.msdigest.net/2012/03/how-to-set-the-postmaster-address-in-office-365/

So if you as an Exchange Online Admin start to see lots of information from postmaster@domain.com or postmaster@domain.onmicrosoft.com, however you won’t find a Postmaster account, as this is part of the underlying Exchange Online Service, so save yourself some time and don’t try an find the account, it is no where to be found but is always looking out for your Exchange Online Messaging domain.

Exchange Online 2013 & Outlook Connections – When New Additional Connections Arise

Posted on

exchange_online_banner_sm 

As many Exchange Online Administrators know, your daily job is to make sure that your users can use Exchange Online for their daily email communications.  However you may find some Outlook clients which are opening more than their “fair share” of connections into Exchange Online, which can or may be picked up by internal Networking teams.  When and/or if you run into an issue with increased Outlook connections into Exchange Online (Cntrl-Right-Click of Outlook –> Connection Status in the Windows SysTray), you will want to investigate whether additional Mailboxes and/or Calendars are being loaded into the users Outlook Profile.

With additional resources/assets being loaded into an Outlook Profile, Exchange Online 2013 will require additional connections in order to pull this information, normally seen as ~2-4 connections per resource.  With these additional connections, you as an Admin or Networking Teams may want to investigate why this is happening.

More Information

In Exchange Online 2010 the Calendaring information for users in the same Exchange Online Organization is centralized, so no additional connections are needed.  In Exchange 2013, with mailboxes and resources load-balanced amongst many different servers, Outlook must open additional connections to these different locations, in order to properly pull the needed information

Resources

More information available in the Office 365 Deployment Guide: