Built-in MDM for Office 365 is launched!

MDM Philosoraptor

Fantastic news follow nerds….one of my must have features for 2015 has been launched! I am super excited about this one and I believe that it will help give many new customers the peace of mind and confidence to start moving to Office 365 in earnest.

One of the great things about Office 365 is that you can get to your corporate data from anywhere, on any device. This is what users expect in todays modern world, and Office 365 lets us give our users the functionality they expect. However the services greatest benefit was also its greatest drawback. How can we make sure that data is secure if users can access it from anywhere. The answer to this before today was to either;

a. Use Microsoft Intune to control access to specific, enrolled devices. This came at additional cost and was a hard sell if a company had already got in bed with a different MDM provider.

b. Use ADFS and Conditional Access Policies to control access. This functionality was limited in scope and took away an awful lot of the benefits of Office 365 from a portability perspective.

c. Use the only control method available to try to limit data leakage; Exchange ActiveSync Quarantine. The problem with this is that it only applies to ActiveSync connections, and cannot control OneDrive for Business use. It also lacks granularity with regards to compliance.

Yesterday, the Office team announced that built-in MDM will be rolled out to all Office 365 commercial plans over the next 4-6 weeks. I am on the First Release program (http://doubledit.co.uk/2015/01/08/office-365-first-release-program/) and have not got the feature yet, but as soon as I do I will be playing around and reporting back!

The main features are as follows:

Conditional Access – this ensures that only managed, compliant devices can connect to your corporate data. This is the biggie and helps us control which mobile devices can access data stored in Office 365, not just Exchange Online.

Device Management – Jailbreak detection, PIN lock controls and rich reporting.

Selective Wipe – Remove corporate data from a managed device while leaving personal data in place.

For those wanting more advanced capabilities such as VPN/Wi-Fi profile management, PC Management and Mobile App management, InTune is still the go to Microsoft product.

You can find out more about the MDM capabilities being rolled out to Office 365 customers at the official blog here: http://blogs.office.com/2015/03/30/announcing-general-availability-of-built-in-mobile-device-management-for-office-365/

Modify AADSync Default Schedule

When using the AADSync tool to synchronise your Active Directory environment with Azure Active Directory (AAD), the default schedule for an incremental sync is 3 hours. This is done using a Scheduled Task. There are many reasons why you may want to change this schedule; maybe you have a high rate of change in your AD environment and you need a 1 hour sync to keep Office 365 up to date, or it might be that you have such a slow rate of change in your AD environment that you only want to sync your identities once every few days. It is worth mentioning that Password Synchronisation does not follow this schedule and is done immediately following a change of password, so this shouldn’t play a part in your decision to modify any scheduling of sync tasks.

Whatever your reasons, you are likely to become a little befuddled when trying to modify the regularity of your scheduled task. If you go into Task Scheduler, find the Azure AD Sync task and go into Properties, you can change the frequency of the task to make it run more or less often. However when you try to save the task it will ask you for the password of the account under which the task runs, the name of which looks something like ‘AAD_a6a4cefedc741’. It uses a random hex code at the end of the name so this could be slightly different to the example I’m using.

Modify AADSync Schedule

This account is used to run the AADSync service, is the account used to access the MIIS client database, and also to run the Scheduled Task. It is a local account which is created during the initial installation of AADSync, and the password is randomly generated. It may be tempting to change the password of this account, but please don’t. I have only come across this happening twice but both times have involved the internal database becoming completely inaccessible, meaning that the service simply won’t start, even with correct credentials.

If you really must change the frequency of your sync, create a new Scheduled Task and configure it to run the following application:

“C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCMD.exe”

Ensure the Task is running with the highest possible priveleges and configure the task to use a user account which is a member of the following groups:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

This new task will run under whatever schedule you fancy, and for good measure you can disable the original task if you’d like. When dealing with default configuration items in any piece of software, I would always recommend creating cloned configurations rather than modifying the default, as it gives you a way to back out of changes and allows you to compare old with new.

The operation couldn’t be performed because object ‘EXCHANGE\First Storage Group\Mailbox Store (EXCHANGE)’ couldn’t be found on ‘DC.domain.local’.

A most inventive and amusing title to this post, if I do say so myself!

After installing Exchange 2010 into a legacy Exchange 2003 environment, you may be faced with the following error when viewing the properties of an Exchange 2003 mailbox in the Exchange Management Console. In addition to this, if you attempt to migrate a mailbox to Exchange 2010 from 2003, you may see this error:

Mailbox database “EXCHANGE\First Storage Group\Mailbox Store (EXCHANGE)” doesn’t exist.

This is a permissions issue, and the fix is relatively simple:

1. Log into your Exchange 2003 server and open the Exchange System Manager (affectionately known as ESM).

2. Go to the properties of the Mailbox Store mentioned in the error message:

Mailbox Store Properties

3. Go to the Security Tab of the Mailbox Store and select the Advanced option. Tick the box to ‘Allow inheritable permissions’ , and Apply your changes.

Mailbox Store Properties

4. If this doesn’t fix your problem, or if the ‘Allow inheritable permissions’ box is already ticked, then do the same thing (Advanced settings under the Security tab, make sure the ‘Allow inheritable permissions’ box is ticked) but to do this, go into the Properties of the server itself, not the Mailbox Store.

5. If even this doesn’t work, then you should manually add in the Exchange 2010 server into the permissions group for the Exchange 2003 server and give it Full Control.


Hope this helps!

Exchange 2013 Cumulative Update 8 now available

Exchange 2013 Logo

Exchange 2013 CU8 has been made available to the general public as of 17th March 2015. Along with the usual bug fixes, a few minor new features have been announced. From my point of view, the best new feature must be the automatic profile migration for Exchange Active Sync clients when being migrated to Office 365. This was the last piece in the puzzle of Office 365 migration as far as automatic reconfiguration goes, so I’m happy to see this included.

For a full list of updates and bug fixes, you can check out the Exchange Team Blog post at http://blogs.technet.com/b/exchange/archive/2015/03/17/announcing-cumulative-update-8-for-exchange-server-2013.aspx

Download link: http://www.microsoft.com/en-us/download/details.aspx?id=46373

Thanks for reading 🙂

Office 2016 Preview & Skype for Business

Big news today from the Office team!

The Office 2016 IT Pro and Developer Preview is now available! This is a very early build however those who choose to use the preview will receive updates and new functionality along the way, much like the Windows 10 Technical Preview. From an Office 365 point of view there are some lovely new features such as MAPI/HTTP built into Outlook, much better deployment and update management options for Click to Run deployments. If you want to grab the Preview, you can log in or sign up for a Microsoft Connect account and get your grubby mitts on it!

More information can be found here: http://blogs.office.com/2015/03/16/announcing-the-office-2016-it-pro-and-developer-preview/

In other news, the Skype for Business Preview has also been announced. This is the replacement for the Lync client and has been forthcoming for some time now. The concept is to bring the Skype experience to Office 365 customers, whilst retaining the Enterprise features which make Lync such a popular product, much like OneDrive and OneDrive for Business. Just like the Lync client, this will be built into Office 2016, however this product is much further down the development timeline and will be rolling out to Office 365 Lync Online customers starting next month!

The announcement can be found here with further information: http://blogs.office.com/2015/03/16/get-ready-for-skype-for-business/

Office 365 MSOnline PowerShell and Proxy Servers

If you administrate Office 365 regularly, especially from different locations, you may well have seen this error:

There was no endpoint listening at https://provisioningapi.microsoftonline.com/provisioningwebservice.svc

The number one cause for this error is a proxy servers. The likely cause is that your Internet Explorer browser has a proxy server configured. If this is in the format of a .pac file, you will need to go into IE>Internet Options>Connections>LAN Settings and remove the Proxy entry. Your connection will now be successful.

However if you have a proxy server manually set to a specific server, you need to tell PowerShell to go via the proxy. First though, check your winhttp configuration by running CMD as Administrator and running the following command:

netsh winhttp show proxy

This will probably show the following result:

netsh winhttp show proxy

Now run the following command:

netsh winhttp import proxy ie

This will import your proxy settings into your winhttp configuration and PowerShell should now navigate through the proxy and (hopefully) get to Office 365. Remember to restart PowerShell before attemping this! If this still doesn’t work, try removing the proxy settings in IE completely and retrying. If even this doesn’t do it, then you likely have a web filter blocking your traffic, in which case you will need to make sure the Office 365 IP addresses and/or URLs are allowed through your filter.

A lot of the above information depends on your network configuration and whether you are using transparent proxies or not, so information may not be 100% accurate to your specific setup. If you end up with incorrect winhttp settings and need to reset to defaults, run:

netsh winhttp reset proxy

from an Administrative CMD prompt and you will be back to square one.

Hopefully this helps some of you suffering from issues when trying to connect to Office 365 PowerShell.

Exchange 2010 Update Rollup failed – error 1603

If you’ve never seen this error code before when installing Update Rollups for Exchange 2010, then you haven’t lived. There’s plenty of blogs and articles out there about it, but I wanted to record it for my own purposes so I don’t go trawling for the answer next time!

In a nutshell, the reason this happens is that UAC hates you.

Simple fix to this is to run CMD as Administrator, and use msiexec to install the Update Rollup, like this:

msiexec /update Exchange2010-KB2961522-x64-en.msp

Gotchas? Well the file should be on a local drive (not a network share). If you are still having problems after this, take a gander at the following KB article: http://support.microsoft.com/en-us/kb/2784788/en-us

That’s about it. Happy Update Rollup’ing!

Office 365 in 2015 – What I’m Looking Forward to!

Office 365 Roadmap

As an evergreen service, Office 365 is always expanding and updating it’s service, providing users with new features and admins with more granular controls and functionality. Here is a list of updates I am particularly looking forward to this year.

  • MDM for Office 365 – at the moment this is a weak spot in the security of Office 365. Using ActiveSync Quarantine, you can control which devices are able to connect to corporate email, however you currently have no controls over which devices can connect to OneDrive for Business, SharePoint and Office apps. This is still in development but should be rolled out in the first half of 2015. http://blogs.office.com/2014/10/28/introducing-built-mobile-device-management-office-365/
  • Drive Shipping and Network Based Data Import for Office 365 – this will allow for large scale import of PST data into Exchange Online Archive mailboxes centralised technologies such as drive shipping or network imports. This is a big feature request for customers, as the current method is to either import PSTs into Outlook and let the client sync (not ideal), or to use third party tools. This feature has no rollout date yet.
  • Compliance Center for Office 365 – this will provide a single pane of glass (SPOG) approach to managing compliance across all Office 365 services. You will be able to configure central policies that will apply across Exchange and SharePoint data and control data retention. This is available in preview as of Jan 2015.
  • MAPI over HTTP for Exchange Online – this is the long term replacement for RPC over HTTP (aka Outlook Anywhere) and simplifies and improves Outlook connectivity. This is being rolled out at the moment and will be complete at the end of Q1 2015.
  • Yammer integration with Office 365 – admittedly the rollout of this service is almost complete (due to be completed by the end of March) but if you don’t have it yet, then you can look forward to being able to seamlessly login to your existing or new Yammer network with your Office 365 credentials.

These are just a handful of the updates coming this year. As you can see, Microsoft are working hard to make this a service which provides real benefit and control to its customers. This is the benefit of using an evergreen service; it can constantly evolve and respond to customer feedback quickly and easily.

Remember to check the roadmap at http://roadmap.office.com to find out about features being worked on and rolled out!

Let me know in the comments which features you are looking forward to most 🙂

Office 365 Hybrid Mailbox Move stuck in ‘Removing’ state

This is an issue I’ve come across more than once now. An attempted mailbox move from Exchange 2010/2013 to Office 365 has failed and you want to remove the migration batch and try again. You try to remove the batch, but it just gets stuck in the ‘Removing’ state for an extended period of time. We need to give this request the finger and start from scratch, but how?

First things first, lets check the status of the move using Powershell, as Powershell will never lie! Login to Exchange Online Powershell, and run:

get-migrationbatch -identity <nameofbatch> | fl

If the status does read as ‘Removing’ and it’s been a long time since you started the removal, then you likely have a corrupted batch. Let’s forcefully remove it. To remove the batch, run:

Remove-migrationbatch -identity <nameofbatch> -force

If you now run the get-migrationbatch command above, you should get an error which states that the batch does not exist. Good news! We now just need to clear out the migration user requests which will still be lingering. To see which user requests exist, run:


If the only users in here are the users which were associated with your migration batch, then you can run:

Get-MigrationUser | Remove-MigrationUser -Force

to remove all of the migration user requests. However if there are other user requests in here which you do not want to remove, then remove the users individually by running:

Remove-MigrationUser <Identity> -Force

Now if you run the Get-MigrationUser command, you should see that the users who were in the corrupted batch are no longer listed. You can start a new batch once you’ve resolved whatever issue caused the mailbox move to fail and all should be tickety-boo 🙂

In our case we were running mailbox export commands at the same time as mailbox migrations, and we had some timeout issues with the Mailbox Replication Service. The error we received in the migration report was “Relinquishing job because of large delays due to unfavorable server health or budget limitations”. Simple fix, just remove the migration batch once the exports were complete, and start again. What we didn’t bank on would be that the migration batch would become corrupted. To resolve this, we allowed our mailbox exports to complete, and then restarted the Microsoft Exchange Replication Service. We then cleared the corrupted batch using the commands shown above, and started in again. It completed successfully this time.

Enterprise Mobility Suite now available in an Open License programme near you

Enterprise Mobility Suite

As of March 1st, this awesome suite of cloudy goodness is available to small to medium businesses, supplied on Microsoft’s Open License programme. The Enterprise Mobility Suite consists of 3 tools which enables your users to be productive across any platform or device, whilst keeping the data on those devices secure. The suite consists of the following products:

  • Microsoft Azure Active Directory Premium – providing you with granular reporting, self service password reset and multi factor authentication.
  • Microsoft Intune – providing you with class beating Mobile Device Management, including conditional access features and System Center integration.
  • Microsoft Azure Rights Management – lock down your corporate data, whether in the cloud or on premise with Azure RMS.

I have had a play with all three of these products and I must say that there is a lot of very cool stuff in there. By the end of our week of testing, we had all the bells and whistles going, and the level of functionality which we had achieved was fantastic. Device enrolment was easy, MFA worked a treat and my test data felt like it was covered in bubble wrap.

Here are a couple of links about the announcement, and about the suite itself:

Annoucement: http://blogs.technet.com/b/mpn_uk/archive/2015/03/05/the-enterprise-mobility-suite-ems-partner-opportunity.aspx

EMS: http://www.microsoft.com/en-gb/server-cloud/products/enterprise-mobility-suite/default.aspx