Categories
Azure Active Directory Azure AD AzureAD consent exchange exchange online Exchange Server Zoom

Azure AD Consent For Zoom App Not Applying

This is a issue where you enabled Admin Approved Consent in Azure AD (as you should) and you require apps that have high data access rights to be approved. The Zoom add-in/desktop app falls into this category as it requires write access to your calendar and your contacts in Exchange Online.

But if you set up admin consent requests in Azure AD you may find this breaks – the user requests consent calendar and contact access via the Zoom profile page (https://zoom.us/profile), chooses Office 365 and gets the following prompt.

End user consent form for Zoom application

The admin gets a request for approval email (as consent requested permissions are high [write calendar and write contacts]) and then once approved the user gets an email telling them so.

So the user goes back to the Zoom profile and tries again – and they get the same option as above. Though the admin has approved the app, it appears the user keeps asking for the admin to approve it.

The fix for this is in the Zoom admin Account Settings pages at https://zoom.us/account/setting and then scrolling down a long way to the “Calendar and Contacts” section (just search the page for 365 to find this bit).

Here you need to disable the option where users are asked to request consent. As in Azure AD you have set “admin grants consent”, you need to match this setting in the Zoom admin pages. This setting is as follows:

Zoom options on who requests consent and the O365 OAuth 2.0 option

Ensure the option highlighted matches your Azure AD consent settings – that means, as admin approval is recommended in Azure AD this setting in Zoom should be turned off (user does not request consent).

Other useful options you can set when you are here are to force the user to only consent for Office 365 (remove Google and Exchange Server options). Obviously if you have users mailboxes on either of these platforms and O365 you would not set the lock to the right as shown below:

Select your mail platform and lock consent options to that platform only

This hides this option from the user when they go to choose consent:

Which service to access in Zoom – this option can be locked to the only service you need

Once the platform is locked, the users experience removes the above page and shows the following in their Zoom profile:

Zoom profile and calendar access limited to a single platform

Then finally, you can enable the “Enforce OAuth 2.0 option” for Office 365, which is the last option in this section. This stops the user consenting via a legacy method that uses EWS and requires more than necessary permissions. By disabling this option you reduce the end user choices during calendar consent – that is you chose to consent and it is done rather than their being more steps than might be useful!

Here are my recommended settings for Zoom consent as described above:

My recommended settings
  1. Choose your service provider. If using Exchange Server and one of the other two cloud platforms, set Exchange Server as the default so that the EWS URL is provided to the user. Set the others as default and the EWS URL is blank in Zoom profile and the user needs to enter it.
  2. Lock this if using only one provider
  3. Turn this off and ensure you require Admin Consent (Microsoft default to this since the end of 2020)
  4. Set O365 consent to OAuth 2.0 to turn off the EWS option for Exchange Online. This setting does not affect your Exchange Server EWS URL mentioned above.

Photo by Julia M Cameron from Pexels
Categories
exchange exchange online iOS Outlook

iOS and Outlook Mobile and Duplicate Contacts

Of the back of a few conversations recently on having duplicate contacts in the iOS platform because of syncing via multiple different routes or devices I decided to try to reproduce the issues and see what I could work out.

I looked on my test iPhone to see if I could see any duplicates and to try and resolve – and given the conversations I was not suprised to find there were already a number of duplicates. So I have eight contacts and some of those where duplicates, some were missing on the device (only in iCloud) and some where different in Outlook Mobile from Contacts etc.

Here are some things I did to resolve these duplicates.

  1. I made the assumption that all my contacts where mastered in Exchange. So I was willing to delete everything on the phone as Exchange would put it back. I did find one contact in iCloud that was not on the phone and that was myself! So I did not delete that one.
  2. I have multiple test devices, two iPhones and one iPad. Each are signed into with the same Apple iCloud account, but each at any time could be synced to different tenants. This is probably a unique scenario to a consultant, but do ensure that each iOS device a user has under the same iCloud account is synced to the same tenant. Different tenants? Maybe try different iCloud accounts or be prepared for duplicates (see last paragraph for more info on this).
  3. Outlook Mobile > Settings > for each Email Account > Save Contacts – Turn Off > Delete from my iPhone
  4. Device Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn off Contacts > Delete from my iPhone
  5. Settings > Contacts > Accounts > other accounts > repeat above to delete.
  6. Open Contacts app on phone – it should be empty. On my device it now says “No Contacts”.
  7. Login to iCloud
  8. View Contacts from iCloud Contacts
  9. Delete them all (or at least those in Exchange). You can select more than one here at a time. So it is easy to tidy up contacts from here whereas on the phone it is delete one by one!

Then its time to restore the contacts to the phone.

  1. Open Outlook Mobile and Settings > for each Email Account > Save Contacts to On > Save to my iPhone
  2. Contacts app should list these (more will take longer, but they should start to sync shortly)
  3. Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn ON Contacts > Merge (there is nothing to merge if you deleted them all in #9 above)
  4. Your contacts now appear in iCloud (again, quite quickly but I guess this depends upon the number of them)
iCloud Contacts
iCloud Contacts – Duplicates Removed

If you have multiple iOS devices and you are signed into each of them with the same Outlook Mobile account AND you enable Save Contacts on more than one device, then you will get duplicates. You need to turn off Save Contacts on all but one device. This will remove the duplicates but it might take 24 hours for Microsoft to reconcile this duplicate state for you. I found this was instant though (but I only have a few intentional contacts and duplicates).

If you later on try to enabled Save Contacts on a second Outlook Mobile device you will get told that sync is already happening on a different device and that to sync from the current device will require contact deletion and sync to start. This will happen to attempt to ensure no duplicates across multiple devices.

Outlook Mobile (iPad) and Save Contacts being turned back on again (second device)

If you have more than one email account in Outlook Mobile then ensure that iCloud is the default for Contact Sync in Settings > Contacts > Accounts to give the best experience.

If you have multiple tenants in use but a single iCloud account then you will see the correct contacts in the Outlook Mobile for each device, but the Contacts app will show all the contacts from all the tenants. If the same contact is created in multiple tenants then you will have a duplicate. The Outlook link in each contact will only work on the device that is logged into that source tenant.

Categories
Azure Active Directory AzureAD exchange exchange online EXO Microsoft 365 Uncategorized

Why Do Comments In Microsoft 365 Planner Disappear?

So first you need an Exchange Online mailbox for comments to work. Comments to the tasks of Plans are stored in the Microsoft 365 Group mailbox, and you need an Exchange Online mailbox to access the M365 Group mailbox.

Behind the scenes, or actually not that behind the scenes, the process for comments is as follows.

  1. Create task
  2. Add comment to task – this places a new message in the Microsoft 365 Group that underlies the Planner.
  3. You can add more comments – the underlying message in the group is modified – this is where the comments are stored.
  4. You can reply to the message in the Microsoft 365 Group, and this adds a new comment
  5. You can add a new comment to the message in the Microsoft 365 Group. This adds a new comment.
  6. You can reply to the message you are sent in your inbox when someone replies to your comment – this adds a comment
  7. You can click the Green box in the group thread or the link in the notification email and this opens up the planner task in a new browser window and then you can reply. This adds the reply to the message in the Microsoft 365 Group.

Whatever you do though, you must not delete the underlying message in the Microsoft 365 Group as this is where the comments are stored. If you delete the message all the comments disappear. The next comment you add after deleting the message creates a new message and this then stores the entire new thread of future comments – the old thread is gone and so are the old comments in Planner.

Replies to notifications based of the old thread are not added to the task. The old comments are still visible in the notification emails, just not in the Plan!

This might be hard to explain, so lets also try it in pictures:

  1. I have two tasks in the Element Plan (which means I have an Microsoft 365 Group/Team called Element). The Plan is called “Test For Comments” and the two tasks are “Task 1 For Adding Comments” and “Task Two”
  1. Inside Outlook I open the Groups > Element group
  1. I have three messages here – this is because I deleted the message that originally appeared for “Comments on task ‘Test 1 for Adding Comments’”. If all the correct though I should have ONE MESSAGE PER PLAN. I can now only reply to the working thread. If I reply to the thread belonging to a previous delete it will not update the comments.
  2. If I reply to “Task Two” it works – this thread was never deleted
  3. If I reply to one of the “Task 1…” threads it gets added to the plan
  1. Note – no #8 visible here, but #8 appears in the top message thread in the Outlook screenshot
    Only if I reply to the other thread do I get a new comment.
  2. How did I end up with two threads? One was deleted in Outlook and then later I replied to the notification belonging to that conversation from my inbox. In the interim I had added a new comment in Planner and generated a new thread.

Lets intentionally break it!

  1. I have this in Planner:

    This contains replies numbered 4, 6, 7 and 9.
  2. In Outlook I delete the thread that shows #7
    1. Before
    2. Deletion warning – I cannot get this message back
    3. Item gone

  3. What does Planner look like

    Comments are gone! I deleted them and I confirmed the “permanently deleted” prompt. The data is lost.
  4. If I go into my Inbox and find a notification AND CLICK THE LINK in the notification, Planner opens and I can add a comment – a new message is created. I have edited the Plan directly in the browser

  5. If though I REPLY TO THE OLD EMAIL NOTIFICATION IN MY INBOX I get a reply to the old thread (which was deleted). As this old thread is NOT now the master for comments, any reply to this thread is out of date and though I can see the old comments here, if I reply to it the Plan will not be updated.

Comments with “From:” or “Sent:” will also fail – this is covered in the Planner support article at Comment on tasks in Microsoft Planner – Office 365

Other reasons, though more complex than the above, for comments disappearing in Plans is that the email routing for the comment is being sent to the wrong place. For example if you have a mail flow rule for hybrid or an external system (for example cloud signature software) and the messages to the group are being routed outside of Exchange Online then they will fail to deliver. You can check this in the Message Trace functionality and see if the messages are being routed outside of the service and then you need to fix your mail flow rules.

Categories
android Apple ATP Defender email EOP exchange exchange online Exchange Online Protection EXO iOS iPhone Office 365 Advanced Threat Protection phish phishing spam

Exchange Online Warning On Receipt Of New Email Sender

Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.

Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.

The user sees the SafetyTip above the email body as shown below once this new feature is enabled:

New Sender Safety Tip

To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!

To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.

First Contact Safety Tip Transport Rule

Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules

Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”

Select under Apply this rule if… The sender is located > Outside the organization

Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip

Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!

I turn off the audit option and then save the rule as shown:

New Transport Rule for First Contact Safety Tip

To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.

Pilot Program for First Contact Safety Tip

Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip

Categories
exchange exchange online Microsoft 365 Office Office 365 Raspberry Pi

Microsoft 365 From A Raspberry Pi 400 Personal Computer

So my new computer arrived today, its a keyboard and a few cables, and as my first computer was a ZX Spectrum when I was 14, this brings back a few memories.

New boxed Raspberry Pi 400 PC kit

But, is it usable today with services such as Microsoft 365? Lets see…

First, the actual computer is in the keyboard, but its smaller than a standard PC sized keyboard. Indeed the manual the comes with it! is almost as big and heavier than the computer.

The manual, the Pi Keyboard (white) and a standard PC keyboard (black)

Plugging it in was easy, and once connected to the monitor and powered on it runs through a first use series of steps. With all that out of the way and the latest updates downloaded and installed the device rebooted and I logged in.

Cables everywhere. It supports WiFi as well so I could have avoided the purple Ethernet cable

Starting the web browser is easy – there is an icon top left and Chromium opens. Logging into Office 365 via https://office.com is as you would expect, though some of the fonts used are not present and so the login screen looks slightly wrong.

From Office homepage I clicked Teams icon and it presented me with the below – an offer to install the Teams Linux client and two choices, Linux DEB or Linux RPM.

Teams on Pi and an offer of two installers though neither of these work on an ARM processor

Neither of these work with ARM based Raspberry Pi computers though, so need to use the web application. Also from the Teams perspective, there is no built in camera or microphone, but it did only cost £95 for the entire kit. A Bluetooth microphone might connect, but I don’t have one to hand to test with. Any USB microphone would work and a USB camera, with a microphone, can be enabled with a few commands run at the prompt.

Enabling video with the fswebcam installer

Chromium comes with the uBlock Origin extension enabled, which blocks some functionality in Teams such as notifications. I just turned off the EasyPrivacy list for the rest of my introductory testing and not a lot was blocked after that.

Outlook Web App, Word etc all worked efficiently though slightly slow for my preference, but again – its a sub £100 computer.

When using Office in Chromium it offers to add a link to the desktop – this adds the Office icon and then Office appears like an app, though its only Chromium. This is a nice feature akin to Chromebooks.

Office icon on the desktop and Office open and not looking like its really a browser

This functionality is not limited to Office, for example in Outlook Web App I can choose to “Install Outlook” from the three dots icon top right of the browser. This opens Outlook as a separate web app and adds an icon to the desktop like Office got when I opted to “pin” Office when prompted to do so in that web page.

Install Outlook menu item in Chromium when OWA is the open tab
Install App confirmation
Outlook – on the Raspberry Pi

So that will do for now – everything else I can do in the Raspberry Pi for Microsoft 365 is generally as I can do it in any of the web apps on any platform.

Categories
DNS EOP exchange exchange online Exchange Online Protection Exchange Server smtp

Enabling Better Mail Flow Security for Exchange Online

At Microsoft Ignite 2020, Microsoft announced support for MTA-STS, or Mail Transfer Agent Strict Transport Security. This is covered in RFC 8461 and it includes making TLS for mail flow to your domains mandatory whereas it is currently down to the decision of the sender.

You can publish your SMTP endpoint and offer the STARTTLS verb but there is no requirement for the sender to use it unless you have configured the sender as well to ensure that they only email you over TLS (for example RequireTLS and TLSDomain settings in Exchange Server/Exchange Online connectors). MTA-STS allows you, the domain owner, to publish your TLS requirements.

You publish your requirements by placing a policy file in your websites “.well-known” directory. The policy will have version: STSv1 and mode: [testing|enforce|none] and mx record. “Testing” for mode says send the delivery of the email will work regardless of success or failure, but also send a report if it failed. “Enforce” means security must pass or the message delivery fails and “none” clears the policy, acting as if you don’t have a policy but giving you a route to remove the policy cleanly rather than what might happen if the policy was to disappear (mail flow should stop). The policy will also have a max_age value in seconds on how long the sender should cache the policy. For example:

version: STSv1
mode: testing
mx: mail.domain.com
mx: c7solutions-com.mail.protection.outlook.com
max_age: 86400

In the above example, my policy is for testing and so I have set a short max_age value, though a value of weeks or more would typically be expected with 31557600 being the largest value you can set (a year and 1/4 of a day in seconds).

The text file must be called mta-sts.txt in the .well-known folder of the mts-sts domain, for example https://mta-sts.c7solutions.com/.well-known/mta-sts.txt

Finally, the policy is published via DNS with the _mta-sts subdomain record:

_mta-sts.c7solutions.com  TXT  "v=STSv1; id=202009241541"

This DNS record must be v=STSv1 and the id needs to be a value that changes when the policy file changes, so I have just used a date string, but it could be anything that you change as the policy changes. The DNS record can also be a CNAME record instead of a TXT record when someone else hosts your email infrastructure and in this case the value points to the MTA-STS domain of the provider instead.

Testing mode was mentioned above, and that is covered in my second blog post today on this topic – Reporting on MTA-STS Failures

Categories
EOP exchange exchange online Exchange Online Protection Exchange Server

Reporting on MTA-STS Failures

This article is a follow up to the Enabling Better Mail Flow Security for Exchange Online which discusses setting up MTA-STS and in this article we cover the reporting for MTA-STS.

To get daily reports from each sending infrastructure to receive reports on MTA-STS you just create a DNS record in the following format:

_smtp._tls.c7solutions.com IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@c7solutions.com"

It took about a week before I got some reports and at this time they have only come, now daily, from Google. They come as a JSON file compressed in the GZip format and once expanded appear as follows:

{
 "organization-name":"Google Inc.",
 "date-range":
 {
  "start-datetime":"2020-10-08T00:00:00Z",
  "end-datetime":"2020-10-08T23:59:59Z"
 },
 "contact-info":"smtp-tls-reporting@google.com",
 "report-id":"2020-10-08T00:00:00Z_c7solutions.com",
 "policies":
 [
  {
   "policy":
   {
    "policy-type":"sts",
    "policy-string":
    [
     "version: STSv1\r",
     "mode: testing\r",
     "mx: mail.domain.com\r",
     "mx: c7solutions-com.mail.protection.outlook.com\r",
     "max_age: 86400"
    ],
    "policy-domain":"c7solutions.com"
   },
   "summary":
   {
    "total-successful-session-count":1,
    "total-failure-session-count":0
   }
  }
 ]
}

As we can see, nothing interesting – it worked for the one email I got into this domain from Gmail that day! On one result its not time to change the policy from “testing” to “enforce” but it might be soon as I know it is working.

Categories
enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 spam

Enable EOP Enhanced Filtering for Mimecast Users

Enhanced Filtering is a feature of Exchange Online Protection (EOP) that allows EOP to skip back through the hops the messages has been sent through to work out the original sender.

Take for example a message from SenderA.com to RecipientB.com where RecipientB.com uses Mimecast (or another cloud security provider). The MX record for RecipientB.com is Mimecast in this example. When EOP gets the message it will have gone from SenderA.com > Mimecast > RecipientB.com > EOP, or it will have gone SenderA.com > Mimecast > EOP if you are not sending via any other system such as an on-premises network.

EOP though, without Enhanced Filtering, will see the source email as the previous hop – in the above example the email will appear to come from Mimecast or the on-premises IP address – and neither of these are the true sender for SenderA.com and so the message fails SPF if it is set to -all (hard fail) and possibly DMARC if set to p=reject. EOP won’t, because of this complexity in routing, reject hard fails or DMARC rejects immediately.

So how can you tell EOP about your complex routing – this is Enhanced Filtering. You add the IPs of your on-premises network and your cloud filter to the inbound connector that you create in EOP to receive your emails. For any source you need the list of IPs and here are the IPs at the time of writing for Mimecast EU and US datacenters in an easy to use PowerShell cmdlet to add them to your Inbound Connector in EOP – you need the correct IPs for your datacenter and the correct name in the cmdlet for your inbound connector.

Set-InboundConnector "Inbound from Mimecast EU" -EFSkipIPs 207.82.80.0/24,146.101.78.0/24,185.58.84.0/22,91.220.42.0/24,195.130.217.0/24,193.7.205.0/24,193.7.204.0/24

Set-InboundConnector "Inbound from Mimecast US" -EFSkipIPs 63.128.21.0/24,216.205.24.0/24,170.10.129.0/22,170.10.128.0/22,205.139.110.0/23,207.211.30.0/24,207.211.31.0/25

In the above, get the name of the connector correct and it adds the IPs for you. It takes about an hour to take effect, but after this time inbound emails via Mimecast EU are skipped for spf/DMARC checking in EOP. For organisations with complex routing this is something you need to implement.

Categories
attribution domain enhanced filtering EOP exchange exchange online Exchange Online Protection Exchange Server mimecast Office 365 smtp transport

Mail Flow To The Correct Exchange Online Connector

In a multi-forest Exchange Server/Exchange Online (single tenant) configuration, you are likely to have multiple inbound connectors to receive email from the different on-premises environments. There are scenarios where it is important to ensure that the correct connector is used for the inbound message rather than any of your connectors. Here is one such example.

With multiple inbound connectors you might be happy and successfully complete your testing if the email from on-premises appears in the correct cloud mailbox. But what about when you use Enhanced Filtering. Here you need to add the intermediate IP addresses of all the hops the message can go through to the specific connector so that Exchange Online Protection can determine the real source IP address and then do spam/spf etc. on the true sender IP and not the hop before Exchange Online Protection (likely your on-premises server and not the actual source).

For example, lets send an email from SenderDomain.com to RecipientDomain.com, where RecipientDomain.com uses Mimecast, has Exchange Servers and has moved mailboxes to Exchange Online. The mail flow for this scenario is:

SenderDomainServer Public IP > MX (Mimecast) > Mimecast IPs > On-Premises IPs (internal) > Public IP for on-premises servers > EOP

From the EOP view point, the email is received from the public IP for the on-premises servers and not from the actual sending IP address. This means that the message will fail SPF as you have complex routing in-front of the receipt by EOP. This, out of interest, is the reason why EOP will not reject SPF failures even if DMARC reject is in place.

When the message arrives at EOP, the message needs to be attributed to the correct connector. If you have multiple Exchange Server orgs in separate on-premises environments you need to make sure that the message is associated (attributed) to the correct Inbound Connector.

This message attribution is done by looking for all Inbound Connectors of type On-Premises in your tenant. If you have more than one connector of type On-Premises, looking up the TlsSenderCertificateName value on the Inbound Connectors to find the connector that best matches the certificate used to encrypt the inbound message. So lets take a look at the example above again. In the “Public IP for on-premises servers > EOP” hop this message will be encrypted with a certificate called (lets say) “mail.recipientdomain.com” and the Exchange Hybrid Wizard will have created the Inbound Connector for this mail flow with TlsSenderCertificateName set to *.recipientdomain.com. Other Inbound Connectors from other on-premises orgs are possibly going to have similar certificates (they should not have the same one) with similar subject names and the Hybrid Wizard could have made more than one Inbound Connector with *.recipientdomain.com as the TlsSenderCertificateName value. If you have multiple Inbound Connectors of type On-Premises and more than one connector with TlsSenderCertificateName set to *.recipientdomain.com then the message could be attributed to the wrong connector.

If you have set Enhanced Filtering IPs to the other connector though, the Enhanced Filtering will not work because the message is not received by the connector you think it should be received by.

So how do you fix this. You modify the Hybrid Wizard created Inbound Connector TlsSenderCertificateName value to be the subject name of the certificate, so not *.recipientdomain.com but mail.recipientdomain.com and you register mail.recipientdomain.com as a domain in Office 365. You need to do both. The reason the Hybrid Wizard sets TlsSenderCertificateName to *.recipientdomain.com is to avoid you needing to add domains to Office 365 that match your certificate precisely, but if you have multiple connectors this is the only way to guarantee message attribution to the correct connector.

Now you can add the IPs you want to skip with Enhanced Filtering to the specific connector, mail flow will use the specific connector and the IPs will be skipped. EOP will resolve the correct sender IP (SenderDomain Public IP in the above example) even though the message has gone through Mimecast and on-premises servers as well. The message headers will now show:

X-MS-Exchange-SkipListedInternetSender ip=[Sender Server IP Address];domain=FQDN of sender

And not list Mimecast (or whomever you are using as a second cloud filter) or your on-premises IP addresses as the true sender.

Categories
exchange online Exchange Server mailbox migration move powershell

Force Mailbox Migration With Bad Items To Complete (2020)

It used to be easy to complete an Exchange Server > Exchange Online move request that had bad items, but this has changed recently.

In the last short while Move Requests (and Migration Batches) have begun to include a property called DataConsistencyScore

Get-MoveRequestStatistics "Bill Gates" | fl DataConsistencyScore

If the result from the above is “Investigate” then you will not be able to complete the move even if you set the usual properties of -PreventCompletion $false and -CompleteAfter 1, that is – the following will not work:

Set-MoveRequest "Bill Gates "-SuspendWhenReadyToComplete $false -PreventCompletion $false -CompleteAfter 1

You will also need to set the following:

Set-MoveRequest "Bill Gates" -SkippedItemApprovalTime  $(Get-Date).ToUniversalTime()

Upon running the above (the move request will auto resume in my tests), the move will start to complete if completion is allowed (the cmdlets at the top of the post). Obviously you will want to check why there are a number of bad items in the move and what you are going to try and do to fix them.

The SkippedItemApprovalTime property approves all bad items detected before the specified time. So in the above example we are approving all bad items to be discarded that were found before “now”. You could set an earlier specific time as well.

You now do not need to set a bad item limit (BadItemLimit) value as you are approving items by time instead.

Categories
booking calendar exchange online Outlook places room

Making Your Office 365 Meeting Rooms Accessible

Or How to Use Set-Place to Configure Your Meeting Rooms or How Wheelchair Users Can Find The Best Meeting Rooms In Your Organization etc. – there are many different titles I can think of for this blog post. They are all to do with setting useful properties against your meeting rooms so that your users can find the best rooms.

As of the time of writing (updated July 2020), “Outlook Places” service exposes a client-side UX only in Outlook on the web (OWA) with Outlook for Windows and Mac due by end of August 2020. Given Microsoft’s previous behaviour of flighting Exchange Online features for one client initially before rolling them out to other clients, this is likely to hit Outlook mobile etc. at some point after that. Therefore I recommend that you update all your room properties now using the PowerShell cmdlet Set-Place so that your users are able to find meeting rooms and other resources upon the functionality appearing in their client.

The Exchange Online Management Shell cmdlet Set-Place allows you to configure properties such as if the room is accessible for wheelchair users (hence the title of this blog post), or what AV equipment it holds or indeed how many people the room can hold (comfortably!). As this information, especially in a large organization, is probably known by many different people and requires the input of these different users to maintain a master list, this blog post will look at the process of creating this list and then importing it back into Exchange Online when updated.

Creating A Master Room Metadata List

From Exchange Online Management Shell run the following:

Get-Mailbox -RecipientTypeDetails RoomMailbox -ResultSize Unlimited | Get-Place | Export-CSV OrganizationRooms.csv -NoClobber -NoTypeInformation

Open the file, here called OrganizationRooms.csv in Excel. I removed the first three columns (PSComputerName,RunspaceId,PSShowComputerName) as well as Type, ResourceDelegates, IsManaged, BookingType and Localities and the last two columns (IsValid and ObjectState) from this file and then save it as an Excel file to OneDrive for Business or SharePoint Online and shared it with the relevant facilities management and other interested parties (don’t share it as a CSV file, as multiple users cannot edit a csv file in real time). We wait for this information to be updated. If you wish you could lock out cells from being edited such as Identity and maybe DisplayName so that future updating of existing rooms is easy to do.

Specifically we are looking at information such as location (physical street/city address, building name [for campus type organizations], floor number and GeoCoordinates), AV equipment (such as audio, video, display devices and room phone number), accessibility for wheelchair users, and miscellaneous tags (in the form of a comma separated list such as “Conference Room”,Lecture,“Tiered Seating”) that users could use in their room search. There are tools to generate geo-coordinates from addresses that you can find online and they are required as latitude;longitude;altitude (where altitude is optional)

Updating Room Metadata in Exchange Online

To upload the new data, save the shared Excel spreadsheet as a CSV file again and run the following Exchange Online Management Shell script:

$OrganizationRooms = Import-Csv .\OrganizationRooms.csv
ForEach ($Room in $OrganizationRooms) {
    [Boolean]$IsWheelChairAccessible = [System.Convert]::ToBoolean($Room.IsWheelChairAccessible)
     Set-Place -Identity $Room.Identity -Street $Room.Street -City $Room.City -State $Room.State -PostalCode $Room.PostalCode -CountryOrRegion $Room.CountryOrRegion -GeoCoordinates $Room.GeoCoordinates -Phone $Room.Phone -Capacity $Room.Capacity -Building $Room.Building -Label $Room.Label -AudioDeviceName $Room.AudioDeviceName -VideoDeviceName $Room.VideoDeviceName -DisplayDeviceName $Room.DisplayDeviceName -IsWheelChairAccessible $IsWheelChairAccessible -Floor $Room.Floor -Tags $Room.Tags
     Set-Mailbox $Room.Identity -DisplayName $Room.DisplayName
}

In the above code I have not included attributes from Get-Place that I cannot write back such as IsManaged, BookingType and Localities – I am interested though in knowing what they are used for as they are undocumented?

The above code just replaces the current values in Exchange Online with the values in the spreadsheet, so the spreadsheet becomes your master.

Note that values with spaces need to be quoted in the CSV – such as tags and various display names. Also it is worth being aware that with conference bridges and Teams meetings, room “capacity” is not always as important as it might sound – a room with a capacity of 3 people will work fine if everyone is remote! Booking multiple rooms for a single meeting is also planned.

If the room object is synced from on-premises Active Directory then you can still use Set-Place to update the object in the cloud. The previous way of setting some of these properties (i.e. City) used Set-User and that needed to be run against the source of the object (that is, if synced you needed to run Set-User on-premises against Active Directory).

Set-Place can be viewed at https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-place?view=exchange-ps

Exchange Server

All rooms and resources that you manage via the steps in the blog post need to be Exchange Online resources. If the mailbox is still on Exchange Server and not moved to Exchange Online in a hybrid scenario, you are not able query and set the information in Get-Place or Set-Place

But that does not mean you cannot get ready for the day that you move those resources (rooms) to Exchange Online. On Exchange Server you can run the following Exchange Management Shell PowerShell and get a csv file with exactly the same columns as above. Get the spreadsheet filled in as mentioned above and then when you move the room to Exchange Online and update Set-Place, the room will be found and updated.

Set-ADServerSettings -ViewEntireForest $true
Get-Mailbox -RecipientTypeDetails RoomMailbox -ResultSize Unlimited | Select Identity,DisplayName,Street,City,State,PostalCode,CountryOrRegion,GeoCoordinates,IsManaged,BookingType,ResourceDelegates,Phone,Capacity,Building,Label,AudioDeviceName,VideoDeviceName,DisplayDeviceName,IsWheelChairAccessible,Floor,FloorLabel,Tags,Localities,SpaceType,CustomSpaceType,IsValid,ObjectState | Export-CSV OrganizationRooms-OnPremises.csv -NoClobber -NoTypeInformation

User Room Search Experience

At the time of writing (July 2020) this experience is rolling out to Outlook, having been in OWA for about a year. The new experience will use the “Outlook Places” backend service, which Set-Place we used above populates.

To view and search for rooms based on these settings you need (for now) to wait 24 hours from using Set-Place before the property can be searched. You then create a new event in OWA calendar and click “Search for a room or location” and then click “+ Browse more rooms”.

The suggested rooms listed are those you have used or attended meetings at recently, but if you click in the “Search for a city or room list” box you can either enter a city or room list name (suggest naming your room lists after buildings) and click “Show all rooms” or click the City or Room List name:

Browse rooms dialog
Browse Rooms by City

This allows the “Filters” option to become available, where you can filter for capacity (rooms larger than) or properties such as audio/video or accessible rooms.

Browse rooms with filter dialog

Once you have set the features you need, click Apply and select the room you need for the meeting. Being able to book multiple rooms for a single meeting is coming to Office 365 in the next few weeks from writing this article as well – imagine booking a meeting where people attend remotely but the remote location is another office.

Call To Action

Even though this “places” functionality does not reach all the Office email/calendaring clients (yet), this should not be a reason not to do this categorization work. Its quite easy to generate a list of all the rooms and their current settings (see above) as a spreadsheet. Its more work to update that list, but if you have a list then you can start. Rooms don’t often change their status regarding accessibility etc. but if you start cataloguing your rooms now or add this work to an Exchange Server migration project, then your users will benefit as the functionality reaches the client they use.

If you don’t update your places metadata, then clients will be unable to successfully find meeting rooms.

Categories
cyber bullying exchange exchange online Exchange Server offensive Office 365 supervision

Review and Audit Offensive Language in Office 365 Communications

A new feature as of May 2018 in Office 365 is to filter communications based upon the offensive language machine learning filter. This is part of the Supervision settings that have been available for a number of years. The Offensive Language model uses a combination of machine learning, artificial intelligence, and keywords to identify inappropriate email messages as part of anti-harassment and cyber bullying monitoring requirements.

Here we will walk through the process of setting up the offensive language filter and testing it out (without offending anyone)!

Setting Up Offensive Language Supervision

Open the Compliance Center at https://compliance.microsoft.com and select Supervision on the left as shown:

image

At the time of writing, the Compliance Center is new and not everything is visible here. By the time you read this article it might be possible to create your supervision reviews from this portal, but for now we need to go to the Security and Compliance Center – so click the link at the top of the page. You will see this:

image

If you cannot see this then you do not have the right permissions. Add yourself to the Supervisory Review role group so you can set up policies. Anyone who has this role assigned can access the Supervision page in the Compliance Center.

Click Create to create a supervision review. Enter a name and a description. You cannot change the name later on.

image

In the next page, select the users to supervise. Start with a test group before editing this policy to add a group that contains everyone.

image

You can also select users who are in the group and specifically exclude them if needed. Communications via Exchange and Teams are included by default. Third party sources can be added as well.

Click Next and move to the Choose communications to review tab. Here select Internal communications (which is not selected by default) and choose Use match data model condition. There is only one model, and that is the Offensive Language model – so that gets selected by default.

image

If you want to scope the filter a bit more then you can select Add a condition and set up rules – for example you could exclude a specific domain inbound.

Click Next and get to the Specify percentage to review tab

image

Here you get to set the percentage of communications to review. The default is 10%. This means that only 10% of all communications are reviewed, and the results you see are based on what was found in that 10%. In large organizations, 10% could be a lot of communications, and therefore could be a fair amount of offensive content. Therefore ensure both your reviewers are able to manage the review process without undue impact and understand that whatever you find – there is 10 times more of it happening. Smaller organizations might want to increase the percentage to review, or at least consider increasing the percentage to review.

Click Next and enter the email addresses of the reviewers. They need to have an Exchange Online mailbox to be able to do this, but the content for review does not go into the reviewers mailbox.

image

Click Next and get to the Review your settings tab. Check everything is okay and click Finish.

image

Your policy will be listed so that you can update it, apart from the name, in the future.

The policy is also displayed in a pop-out as shown:

image

In this pop-out you can see the name of the mailbox that the content for review will go into – therefore those users who are reviewers will need to have access to this mailbox if they want to use Outlook to do their review process. If the reviewers have access to the Compliance Center then review can be done there instead of in Outlook/OWA. Permissions need to be granted to the mailbox using PowerShell. The two cmdlets are, using your supervisory review mailbox as listed in the policy results.

Add-MailboxPermission "SupervisoryReview{GUID}@domain.onmicrosoft.com" -User "alias or email address of the account that has reviewer permissions to the supervision mailbox" -AccessRights FullAccess
Set-Mailbox "SupervisoryReview{GUID}@domain.onmicrosoft.com" -HiddenFromAddressListsEnabled: $false

You can add “-AutoMapping $false” to the Add-MailboxPermission if you want the review mailbox not always to appear as an additional mailbox in Outlook.

To Review Your Supervision Policy

In the Supervision Review pop-out (which you can get back by clicking on the policy name), click Open at the top.

This takes you to:

image

Here I can see I have nothing to review or pending items to look at. If you want to test this, think of something offensive and send it to yourself! It might turn up in the review portal, or it might not – remember only 10% of communications are subject to review.

Note: Emails subject to defined policies are processed in near real-time and can be tested immediately after the policy is configured. Chats in Microsoft Teams can take up to 24 hours to fully process in a policy.

I’m not going to send anything, but I will take a look back here later and I might update this blog if I ever get any hits!

To review the content, the menu across the top for Review and Resolved Items will show you the items and those that have been resolved. The actual HR and discipline process is obviously not covered by anything in this review process. Once resolved in the company, mark it as resolved here.

In OWA, you can open an additional mailbox and enter “super” and the supervisoryreview{GUID} mailbox appears:

image

Inside the supervisory review mailbox, there is a folder for the policy you just created and inside that are subfolders that indicate review (Non-Compliant and Questionable) and Resolved:

image

Blocking Offensive Language

This is just a review process. If you want to block content, then create a DLP policy that uses a dictionary of words to block. For more on the dictionary creation see https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-keyword-dictionary

Categories
2016 2019 autodiscover autodiscover v2 calendar exchange exchange online Exchange Server Microsoft Teams Teams

Teams Calendar Fails To On-Premises Mailbox

Article Depreciated: Microsoft now auto-hides the Calendar icon in Teams if your on-premises Exchange Server is not reachable via AutoDiscover V2 and at least Exchange Server 2016 CU3 or later. Once you move your mailbox to Exchange Online (or a supported on-premises version), assuming you did not do any of the below, your Calendar icon appears in the left rail shortly after mailbox migration, though I have seen it take six hours and needs a Teams client restart as well

In Microsoft Teams, you have a calendar  (previously called meetings) icon in the main display that shows your diary and meetings etc. – except it does not work if your mailbox is not either in Exchange Online or, if if your mailbox is on-premises, you are not using Exchange Server 2016 CU3 or later.

The reason for this is that the Teams calendar uses AutoDiscover v2, which is only supported by Exchange Server 2016 CU3 and Exchange Online (note that CU3 is not the current version of Exchange Server 2016 and versions later than CU3 also support AutoDiscover v2).

This means that if you have an earlier version of Exchange Server on-premises then the calendar in Teams is not functional. This raises IT support calls as users expect it to be available, and this impacts your deployment of Teams as it appears broken.

So how can we fix this. Well clearly migrating to Exchange Online or installing the 2016 or later version of Exchange Server is the obvious option from the above, but there is another option to work around this issue. The “fix” is to remove the calendar icon from Teams. This does not stop you booking meetings, as you can still do that in Outlook with the Teams add-in or in the Outlook mobile client, where Teams meeting support is rolling out as I write this blog. If I remove the calendar icon, then the source of the errors disappears, but Teams is not really adversely impacted.

So this is what we start with:

image

And we remove the icon by creating a new App Setup Policy in the Teams Admin centre and then deploying that policy to all your users (with on-premises mailboxes on older versions of Exchange, or those not using Exchange for calendaring). You can easily roll this out as a test, though its about 24 hours for the effect to be seen, and then roll it out in bulk for all your impacted users. We will cover all this below:

 

1. Creating App Setup Policy

In the Teams Admin centre (https://admin.teams.microsoft.com) expand Teams Apps > Setup Policies and create a new policy. This policy is based on your current Global policy.

Select the Calendar app and remove it from this new policy. You should see something like this:

SNAGHTML31beae7d

Here I have created an app policy called “With OnPrem Mailboxes” and removed the Calendar app from it.

2. Applying App Setup Policy To A Test User

Once you have the policy ready, its time to test it. Policy changes will take 24 hours to apply (so say the docs) and I found on my testing it was 18 hours when I ran through these steps – so this is not quick!

To make sure your changes work, the plan here is to deploy this new policy to a few selected individuals in the Teams admin centre.

Find the first user and click on their name. In the details page you will see the policies applied to the lower left:

image

Click Edit at the top right of this section and change the App setup policy to your new policy:

image

And click Save:

image

You will see your new policy in the list.

Repeat for the rest of your test pool of users using the portal. We will not use the portal for deploying it to all users though, that will take too long!

Next day, these users should see something like this – no calendar:

image

3. Applying App Setup Policy To All Users

To apply this change to all users once your test users are happy we will use PowerShell, and we will use the Skype for Business Online PowerShell cmdlets (not the Teams PowerShell!).

The following one-line PowerShell, once you have connected to your tenant, is:

Get-CSOnlineUser | ForEach-Object { Grant-CsTeamsAppSetupPolicy -PolicyName "With OnPrem Mailboxes" -Identity $_.WindowsEmailAddress }

This gets all your users and applies a new Teams App Setup Policy to each of them. This works initially with this problem, as we assume all users are affected. If only a subset of your users are on-premises, then do not use this cmdlet to apply the initial change, but use the below to be more selective.

Within 24 hours the Calendar app will disappear from Teams for your users and they will not be phoning the help desk with issues that none of you can easily fix!

4. Applying App Setup Policy To Selected Users

The above cmdlet is a single run – it does not affect later and new users, nor is there a concept of a default policy that you can set as the one each new users gets. So every so often depending upon how often new users start employment you will want to run the below:

Get-CsOnlineUser -Filter { TeamsAppSetupPolicy -ne "With OnPrem Mailboxes" } | Grant-CsTeamsAppSetupPolicy -PolicyName "With OnPrem Mailboxes"

This gets all users where they do not have the selected App Policy already set and sets this just for these users. This is quicker than setting it for all users regardless.

You can use other filters to select users – for example, you could look for users without an on-premises mailbox and then run the ForEach against each of these users instead – this would work in a hybrid deployment.

When you are in a hybrid deployment and you move mailboxes to Exchange Online from on-premises, you will want to set those users just moved back to a policy that includes the calendar app. The same would go for organizations migrating to Exchange Server 2016 with inbound AutoDiscover from Office 365. Here you could use something like importing a CSV file of mailboxes being migrated (the same list you used to build the migration batches in the first place would do) and then run the ForEach for each item on the CSV file.

Categories
AADConnect AADSync active directory Azure Active Directory Azure AD compliance conditional access device download enterprise mobility + security exchange online microsoft Office 365 OneDrive OneDrive For Business sharepoint

Read Only And Document Download Restrictions in SharePoint Online

Both SharePoint Online (including OneDrive for Business) and Exchange Online allow a read only mode to be implemented based on certain user or device or network conditions.

For these settings in Exchange Online see my other post at https://c7solutions.com/2018/12/read-only-and-attachment-download-restrictions-in-exchange-online.

When this is enabled documents can be viewed in the browser only and not downloaded. So how to do this.

Step 1: Create a Conditional Access Policy in Azure AD

You need an Azure AD Premium P1 licence for this feature.

Here I created a policy that applied to one user and no other policy settings. This would mean this user is always in ReadOnly mode.

In real world scenarios you would more likely create a policy that applied to a group and not individual users and forced ReadOnly only when other conditions such as non-compliant device (i.e. home computer) where in use. The steps for this are:

The pictures, as you cannot create the policies in the cmdline, are as follows:

  1. New policy with a name. Here it is “Limited View for ZacharyP”
  2. Under “Users and Groups” I selected my one test user. Here you are more likely to pick the users for whom data leakage is an issue
  3. Under “Cloud apps” select Office 365 SharePoint Online. I have also selected Exchange Online, as the same idea exists in that service as well
  4. Under Session, and this is the important one, select “Use app enforced restrictions”.

SharePoint Online will then implement read only viewing for all users that fall into this policy you have just created.

Step 3: View the results

Ensure the user is licensed for SharePoint Online (and a mailbox if you are testing Exchange Online) and an Azure AD Premium P1 licence and ensure there is a document library with documents in it for testing!

Login as the user under the conditions you have set in the policy (in my example, the conditions where for the specific user only, but you could do network or device conditions as well.

SharePoint and OneDrive Wizard Driven Setup

For reference, in the SharePoint Admin Centre and Policies > Access Control > Unmanaged Devices, here you turn on “Allow limited web-only access” or “Block access” to do the above process of creating the conditional access rule for you, but with pre-canned conditions:

In the classic SharePoint Admin Center it is found under that Access Control menu, and in SharePoint PowerShell use Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess

Turning the settings on in SharePoint creates the Conditional Access policies for you, so for my demo I disabled those as the one I made for had different conditions and included SharePoint as well as a service. This is as shown for SharePoint – the banner is across the top and the Download link on the ribbon is missing:

image

And for OneDrive, which is automatic when you turn it on for SharePoint:

Categories
calendar exchange online Exchange Server monthly channel Office 365 Office 365 ProPlus Outlook semi-annual channel

Save Time! Have All Your Meetings End Early

I am sure you have been in a meeting, where the meeting end time rolls around and there is a knock at the door from the people who want the meeting room now, as their meeting time has started and yours has finished.

What if you could recover five, eight, ten or more minutes per meeting so that the next meeting party can get into the room on time, and you have time to get out and get to your next meeting, and be on time.

Well since the beginning of 2019, Microsoft have come to your rescue.

image

The above are the new calendar “End appointments and meetings early” option. It is available in Outlook for Windows that is part of Office 365 ProPlus and you need to have a version of the software released new in 2019 for the feature to be available – more on the version and what to do in the technical section below.

The above option is found from File > Options > Calendar and then looking under Calendar Options as shown.

Check the option ”End appointments and meetings early” and then choose the time that a meeting under 1 hour will end early, and you can choose 5, 8 or 10 minutes, and then a second option for meetings over 1 hour – these can end 5, 10 or 15 minutes early. You can also enter your own preferred end early time.

Click OK and go create a new meeting. It should not matter how you create the meeting.

As you can see from my options above, my default meeting is 30 minutes – so on creating a new meeting I see the following:

image 

I’ve highlighted the new end time – its 25 minutes after the meeting starts! The adjustment applies to the default meeting length and shortens it for me.

If for this meeting I want it to be the full 30 minutes, I can just write in the new time – all Outlook is doing is setting a new adjustable default for me.

For meetings where you drag out a custom duration in your calendar – it works here as well:

image

As you can see I have dragged out 1pm to 4pm on Thursday. Look what happens when I enter some text for the meeting subject:

image

The meeting is created with an end time ten minutes early (my preferred time saving duration for meetings over one hour). As with the above, I can adjust the time of this meeting to the full hour if I want to very easily – just drag the meeting block to the full hour and it is kept. Its just the default time when I first create the meeting that is adjusted.

Note that existing meetings are not changed – but if you go into an existing meeting and look at the end time drop down, you will see suggestions for the duration that take the early end time into consideration:

image

So, that’s how you can save time on your meetings (or at least one way, being prepared for them is another and technology cannot help there – yet!)

Changing The Defaults For Everyone

But what if you are the HR department or the representative of the department for digital change – what if you want to try and improve company culture and change these defaults across the board – well this is a job for IT, but they can easily roll out a setting to all your computers that set a end early time for both short and longer meeting durations.

They need to deploy a group policy setting that changes the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\Calendar and updates both EndEarlyShort and EndEarlyLong values as well as the EndEventsEarly key. EndEarlyShort is of course the value that affects meetings under one hour – and you do not need to accept the Microsoft suggested durations of 5, 8 and 10 minutes. For example if I edit this DWORD registry key and set the value to 3, upon restarting Outlook my new meetings under one hour end three minutes early:

image

The EndEventsEarly value is the setting that turns the feature on. So as well as setting the end early times, you need to set this value to 1 as well.

If you want to roll out this change centrally and ensure that the end user cannot set their own custom end early time then you can change the registry key policy settings via HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Options\Calendar. Changes in this registry location mean the user cannot adjust the end early times.

image

You can disable this option centrally as well by setting EndEventsEarly DWORD value to 0 – this has the effect of disabling the check box and so users cannot turn the option on.

All these three settings are included in the latest update to the Office365 Administrative Templates, available on Microsoft Download Center: https://www.microsoft.com/en-us/download/details.aspx?id=49030 as well.

Checking Your Outlook Version

Version 1812 or later in use on the Monthly Channel is required before you can use this feature. In most businesses you are probably using the Semi-Annual channel, and this has features deferred by at least six months. So to check, click File > Office Account in any Office application (shown below). To the right hand side you will see the below. You need to check you are running the Subscription Product and that under About Outlook (or whatever Office app you are checking), it reads Version 1812 or later and Monthly Channel. The Semi-Annual Channel is released in January and July each year and is deferred by at least six months, so as this feature was released in Dec 2018, this feature will not appear in the Semi-Annual Channel until at least July 2019 – build 1812 of the Semi-Annual Channel (and possibly not until build 1907). More on this release cycle can be found at https://docs.microsoft.com/en-us/deployoffice/overview-of-update-channels-for-office-365-proplus

image

Categories
activesync android email exchange exchange online Exchange Server iPad iPhone

Too Many Folders To Successfully Migrate To Exchange Online

Exchange Online has a limit of 10,000 folders within a mailbox. If you try and migrate a mailbox with more than this number of folders then it will fail – and that would be expected. But what happens if you have a mailbox with less than this number of folders and it still fails for this same reason? This is the problem, with resolution, I outline below.

I was moving some mailboxes to Exchange Online when I came across the following error in the migration batch results:

Data migrated: 18.18 MB ‎(19,060,890 bytes)‎
Migration rate: 0 B ‎(0 bytes)‎
Error: MigrationMRSPermanentException: Error: Could not create folder 2288. –> MapiExceptionFolderHierarchyChildrenCountQuotaExceeded: Unable to create folder. ‎(hr=0x80004005, ec=1253)‎ Diagnostic context: Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=204] Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=468][latency=1] Lid: 52176 ClientVersion: 15.20.1730.17 Lid: 50032 ServerVersion: 15.20.1730.6019 Lid: 35180 Lid: 23226 — ROP Parse Start — Lid: 27962 ROP: ropCreateFolder [28] Lid: 17082 ROP Error: 0x4E5 Lid: 25953 Lid: 21921 StoreEc: 0x4E5 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 —- Remote Context Beg —- Lid: 38698 Lid: 29818 dwParam: 0x0 Msg: f28f1e21-62aa-4999-977f-ce310efea309-61f0997f-74d5-4421-9050-64f8272e5ac2[9]-28A06 Lid: 29920 dwParam: 0xB Lid: 29828 qdwParam: 0x2711 Lid: 29832 qdwParam: 0x2710 Lid: 45884 StoreEc: 0x4E5 Lid: 29876 StoreEc: 0x4E5 Lid: 30344 StoreEc: 0x4E5 Lid: 54080 StoreEc: 0x4E5 Lid: 56384 StoreEc: 0x4E5 Lid: 38201 StoreEc: 0x4E5 Lid: 35904 Lid: 45434 Guid: f12f3e45-67aa-89012-345f-ce678efea901 Lid: 10786 dwParam: 0x0 Msg: 15.20.1730.017:VI1PR0502MB2975:145a3769-3902-4e6b-9fe4-6db564e4eb92 Lid: 1750 —- Remote Context End —- Lid: 31418 — ROP Parse Done — Lid: 22417 Lid: 30609 StoreEc: 0x4E5 Lid: 29073 Lid: 20369 StoreEc: 0x4E5 Lid: 64464 Lid: 64624 StoreEc: 0x4E5

In the above I have highlighted some of the errors I was seeing – with the “could not create folder” message, the first indicator is that I have too many folders to migrate or I have a corrupt mailbox. Running Get-MoveRequestStatistics and including a full report (with -IncludeReport) shows in part the below. This was run to get more info on the move request. This was run from Exchange Online:

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​26/03/2019 17:10:09 [VI1PR0502MB3855] ‘MigrationService (on behalf of ‘Brian.Reid@domain.co.uk’)’ created move request.
26/03/2019 17:10:15 [DB8PR05MB6025] The Microsoft Exchange Mailbox Replication service ‘DB8PR05MB6025.eurprd05.prod.outlook.com’ (15.20.1730.17 ServerCaps:01FFFFFF, ProxyCaps:07FFFFC7FD6DFDBF5FFFFFCB07EFFF, MailboxCaps:, legacyCaps:01FFFFFF) is examining the request.
26/03/2019 17:10:15 [DB8PR05MB6025] Content from the Shard mailbox (Mailbox Guid: f12f3e45-67aa-89012-345f-ce678efea901, Database: cc980daf-4402-4645-b26c-2a83760b161c) will be merged into the target mailbox.
26/03/2019 17:10:15 [DB8PR05MB6025] Connected to target mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’, database ‘EURPR05DG090-db014’, Mailbox server ‘DB8PR05MB6025.eurprd05.prod.outlook.com’ Version 15.20 (Build 1730.0).
26/03/2019 17:10:20 [DB8PR05MB6025] Connected to source mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’, database ‘DB’, Mailbox server ‘onprem.server.domain.com’ Version 15.0 (Build 847.0), proxy server ‘onprem.server.domain.com’ 15.0.847.40 ServerCaps:, ProxyCaps:, MailboxCaps:, legacyCaps:1FFFCB07FFFF.
26/03/2019 17:10:21 [DB8PR05MB6025] Request processing started.
26/03/2019 17:10:21 [DB8PR05MB6025] Source mailbox information:
Regular Items: 8443, 905.4 MB (949,422,345 bytes)
Regular Deleted Items: 1149, 189.9 MB (199,115,692 bytes)
FAI Items: 4651, 11.72 MB (12,285,701 bytes)
FAI Deleted Items: 9, 19.26 KB (19,721 bytes)
26/03/2019 17:10:21 [DB8PR05MB6025] Cleared sync state for request 2c065e32-3bd5-4524-9aac-03880fa8e961 due to ‘CleanupOrphanedMailbox’.
26/03/2019 17:10:21 [DB8PR05MB6025] Mailbox signature will not be preserved for mailbox ‘tenant.onmicrosoft.com\f12f3e45-67aa-89012-345f-ce678efea901 (Primary)’. Outlook clients will need to restart to access the moved mailbox.
26/03/2019 17:11:20 [DB8PR05MB6025] Stage: CreatingFolderHierarchy. Percent complete: 10.
26/03/2019 17:12:38 [DB8PR05MB6025] Initializing folder hierarchy from mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’: 29048 folders total.
26/03/2019 17:21:21 [DB8PR05MB6025] Folder creation progress: 1102 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 17:31:22 [DB8PR05MB6025] Folder creation progress: 2730 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 17:41:22 [DB8PR05MB6025] Folder creation progress: 4535 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 17:51:23 [DB8PR05MB6025] Folder creation progress: 6257 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 18:01:23 [DB8PR05MB6025] Folder creation progress: 7919 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 18:11:23 [DB8PR05MB6025] Folder creation progress: 9570 folders created in mailbox ‘tenant.onmicrosoft.com\2c065e32-3bd5-4524-9aac-03880fa8e961 (Primary)’.
26/03/2019 18:14:15 [DB8PR05MB6025] Fatal error StoragePermanentException has occurred

The move request logs show an increasing folder count, and when this exceeds 10,000 a storage error occurs.

So the next thing to do is to check what I have on-premises. I have generally two options to try and fix a mailbox I am moving to Exchange Online. One is to move the mailbox elsewhere on-premises (on the basis that I discard errors on-premises and then move a cleaner mailbox to the cloud) or run repairs on the mailbox. Note that running repairs on-premises is part of the move to the cloud anyway as Exchange Server does this as part of the move.

But this revealed nothing! The move request logs on-premises showed the same – there was over 10,000 folders (indeed some of my mailboxes had over 20,000 folders) and this was enumerated in the move request logs. A New-MailboxRepairRequest did nothing either. But interestingly, Get-MailboxFolderStatistics | Measure showed only 200 folders! Each of my failing mailboxes had between 150 and 263 folders – nothing like the +10,000 that the move request was finding!

So I opened the mailbox in Outlook having granted myself permissions to it – again nothing.

So I opened MFCMapi and had a look at the folders. Now MFCMapi shows everything in the mailbox, and not just items under the “top of the information store” folder. I went about expanding each subfolder I could find and I came across a subfolder that everytime i expanded it, MFCMapi would hang. I would close and restart MFCMapi and the same thing!

image

I had found my suspect folder – its a iPhone device that had created the +10,000 folders. Now that I had a good candidate for my issue, the fix was easy. I listed the active-sync devices using Get-MobileDevice -Mailbox “Richard Redmond” | FL Identity and then removed the suspect device using Remove-ActiveSyncDevice “domain.co.uk/OU/Richard Redmond/ExchangeActiveSyncDevices/iPhone§A9BCDE7FG57HIJ81KL1M08NOPQ” -Confirm:$false where the device identity was returned in the Get-MobileDevice cmdlet run just before.

This Remove-ActiveSyncDevice (or Remove-MobileDevice) cleans up this mailbox and deletes the partnership with the device.

Once this was done, I moved the mailbox again and it was ~200 folders and moved to Exchange Online without further issue.

Where I tested the move to Exchange Server rather than Exchange Online, I found that looking in the move request report (I had prestaged the move and then removed the corrupt mobile device), the move report showed information like the following and all I had done was removed one mobile device from the mailbox!

26/03/2019 17:41:22 [servername] Folder hierarchy changes reported in source ‘Primary (a8c13a2f-535b-d996-908e-ff84b1484a7)’: 200 changed folders, 24080 deleted folders.

From the users perspective, if the phone is an active device and is syncing email, then removing the phone causes it to create a new partnership. If the server allows any device then this is seamless to the user. If the server requires authorization to add a new device, then the user will be told this and service desk/admin will need to approve the device again. So if Allow/Block/Quarantine (ABQ) is not enabled on the server, one wonders if deleting all active sync partnerships before migrating any mailbox is an idea worth considering – there could be mailboxes I have moved that are <10,000 folders but not far from that number and therefore storing up issues for the future!