Archivo para la categoría ‘Office365’

European Office365 Connect Sessions

jueves, 10 de abril de 2014 Sin comentarios



Hi all, I’ve recently had the chance (as many of you know) of giving two sessions at the first edition of the European Office365 Connect event (Haarlem, Netherlands) which I really enjoyed a lot, not just for the great speakers that it had (Seb Mathews, Dan Holme, Marc Reguera, Jasper Oosterveld, Albert-Jan Schot, Bram de Jager, Danny Burlage, Dejan Foro, Patrick Lamber, Rolly Perreaux, etc…) but also for the great attention received by the organizers and how everything was mounted (a 5 star event).

Below you can find a brief description of the sessions I gave and the slides/resources used on each one of them. Enjoy them:

Managing Office 365 with PowerShell

Office 365, like many Microsoft products, can be managed via PowerShell and in this session we will take a look at some of the common commands you can use to become a well-rounded Office 365 Administrator. If you are new to PowerShell this session will cover some of the basics as well as covering the more “advanced” commands you can use.




Folder Icon

Building a hybrid configuration with Exchange 2013

Everybody talks about Office 365, not every organization is ready to go «full in». Enter the cloud at your own term by going hybrid, is a quote often used. But is it really that easy or are you getting in for a rollercoaster without knowing it. In this session we’ll cover how to prepare for a Exchange Online hybrid, we’ll lead you through all the requirements and actions for a working Hybrid scenario. After this session you’ll be able to make a well founded decision about hybrid and how to make it a success story.



Multi-Factor Auth inside Office365

viernes, 21 de febrero de 2014 Sin comentarios



Hi, todays article is about Multi-Factor Auth for Office365.

First of all, lets explain what is it, what are the benefits and then proceed to explain how to enable, configure and manage it via GUI and PowerShell…


Multi-Factor Auth is a multiple validation system that allows us to fortify the security when accessing out system, but not just that, it also allows us to know when someone is trying to access our data and be able to notify as fraud the undesired access. All this with the smple use of an SMS code, telephone call, mobile phone call or via APP.

So, does that means that I will have to input a code each time a access my mailbox?, not exactly, unless you select the send message or call options, our installed APP will be the one in charge to notify us of the access petition and be able to answer if we authorize or decline it.

And what happens with each program on which a make use of my account, will I have to authorize them each time they try to access my data? no, we have the option to configure a unique «APP Password» for every program with a unique activation.

Does that means I can create as many APP Passwords I want? No, we have a 40 APP Passwords limit.

What programs can I use with my APP Password? We can make use of known programs like Microsoft Outlook, Microsoft Lync, Office 2013 suite, and some others like Lync mobile client, Windows 8 and 8.1 Mail APP or the Office365 Activation assitant.

What is the name of the APP that I can use to authenticate the access? The APP is called «Multi-Factor Auth» and it’s available for IOS, Android and Windows Phone of course, just search for it on the store.

Is this feature available for all of the Office365 plans? No, just for MidSize, Enterprise (E1, E3 and E4) and Standalone (Exchange Online and Sharepoint Online) plans, so no Small Business plans are supported.


To enjoy this feature we just have to enter our Office365 portal as an admin and enable it for the users we want:

  • Enter our Office365 portal ( as an admin and click on «Users and Groups» and then on «Set up» dentro de «Set Multi-factor Authentication requirements»:


  •  On «View» select the view to be applied of the users we want to be shown, in my case I selected «Sign in allowed users«:


  • Select the users we want to enable and click on «Enable» and «Enable multi-factor auth» on the popup window:

0auth3 0auth4

Once the admin part is done, we can now proceed to do the user part. This is what the user is supposed to do once he enters the first time to the portal. It’s very important that the user logs in onto the portal before doing anything else with his account.


  • This will take us to the aditional security verification page, select the option we want and continue, on this case we will select «Notify me through app» and then click on  «Configure«:


  • Follow the steps and click on «Done«:


  • Once this is done, t will ask us if we make use of programs like Microsoft Outlook or Lync to create APP Passwords, in this case we will assume the user makes use of Microsoft Outlook, so we’ll create one clicking on «Create«:


  • Assign a name for the program, copy and paste the generated code inside the credentials request of our Microsoft Outlook. This password will not be shown again so it’s important to copy and paste it directly :


  • If we have the need to create more APP Passwords or modify the contacting method, we just have to enter our portal, click on the little hog on the upper right side and then on  «Office365 Settings», select the option «additional security verification» and click on «Update my pnone numbers used….», this will give us access to the settings and APP Passwords configuration area:


auth10 auth11

Auth9 Auth8.19


In order to work with Multi-Factor Auth, we must follow the next steps:

Connect-MsolService $MultiFactorAuth= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $MultiFactorAuth.RelyingParty = «*» $MultiFactorAuth = @($MultiFactorAuth)

Once the object has been created, you can start running the different options:

  • To enable just one specific user:

Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $MultiFactorAuth

  • Enable on all users:

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $MultiFactorAuth

  • List all users with the enabled feature:

Get-MsolUser | Where-Object {$_.StrongAuthenticationRequirements -like «*»}  | select DisplayName,UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements

  • Disable the feature on a specific user:

$MultiFADisable = @() Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $MultiFADisable


Just one thing, If we enable this feature on an admin account, keep in mind it wont be able to manage the subscription via PowerShell because its not supported, to do so, Microsoft recommends to create another account without any license applied and strong password to be used for powershell.


Once we try to log in via the portal, it will show us a notification on the app where it asks us to verify or cancel:

wp_ss_20140217_0001 wp_ss_20140217_0002 wp_ss_20140217_0003



Dissallow sending mails outside the org

sábado, 8 de febrero de 2014 Sin comentarios



Hi, today I´ll explain a very quick and simple process to avoid users from sending messages outside the org using Exchange Online.

First of all, we need to enter our Office365 subscription portal ( and then access our Exchange Admin Center (EAC) from the upper right side where it says «Admin» and then clicking on «Exchange» (check this out if you have a small business subscription).


Once we´re inside, click on the «Mail flow» section and then on the «rules» tab  to create a new transport rule, click on the «+» sign and then on «create a new rule…«.

  • Type a name to identify the rule and be able to associate with like «outgoing messages restrictions».
  • Click on the bottom part where it says «More options«
  • On «Apply this rule if…» select «The sender is this person» and select all users that will apply the restriction.
  • Click on «Add condition«
  • Select «The recipient is, external/internal«, and «Outside the organization«
  • On «Do the following…» select the «Block the message» and «Reject the message and include an explanation» option.
  • Specify a message to be delivered as a reason for the blocked users that try to send messages outside the org like «Sending messages outside the org is not permitted» and accept..
  • Click on «Save» and we´re done.


Best of all is that we don´t need to create another rule for each user that we want to apply the same behaviour, we just simply have to edit the rule and add the users we want or create a group and add it as a recipient.


GAL Segregation

sábado, 8 de febrero de 2014 Sin comentarios




Hi!, todays post will be covering something that the education and enterprises normaly ask for, it´s the GAL segregation on a Exchange Online environment.

So, what is the GAL segregation for? well, a very good example would be a university with 300.000 users and the teachers don’t want to be visible from the student side or viceversa.

Another example would be a recently adquired company and the source wants to integrate the email system but don’t want the recently bought to be able to see each other on the Global Address List. (here you can see an explanation on how Address Book Policies work:

Well, this was posible before on an on-premises environment but what about Exchange Online?, now is is!. One of the things we need to keep in mind is that in order for this to work fine, we will have to base on the details fields of eah user. On this guide I will be using the «Company» field so I can use the second example I proposed before.

First of all we will have to assign the «Address Lists» role to the «Organization Management» Administrator role and be able to work with the CmdLets we need:

  •  Access our Office365 portal.
  • Click on «Admin» and then on «Exchange» to enter the EAC
  • Click on «Permissions» and then on «admin Roles«
  • Double-click «Organization Management» and add «Address Lists» using the «+» button from the list.
  • SAVE

Then we’ll need to prepare our powershell environement in order to connect to Exchange Online.

Once we’re connected, we will search for users that have the UPN suffix inside their UserPrincipalName and assign the «Contoso Ltd.» value on the Company field of the user detailes with the following CmdLet:

  Get-User -Filter {userprincipalname -like «*«} | Set-User -company «Contoso Ltd.»

Now we have to create the four address lists that the ABP uses.

Creating the GAL:

New-GlobalAddressList -name ContosoGAL -RecipientFilter {(recipienttype -eq «usermailbox») -and (Company -eq «Contoso Ltd.»)}

Creating the Address List:

New-AddressList -name ContosoAddressList -RecipientFilter {(recipienttype -eq «usermailbox») -and (Company -eq «Contoso Ltd.»)}

Creating the OAB:

New-OfflineAddressBook -name ContosoOAB -AddressList ContosoAddressList

Creating the Resource List:

New-AddressList -name ContosoResourceAddressList -RecipientFilter {(recipientdisplaytype -eq «conferenceroommailbox») -and (Company -eq «Contoso Ltd.»)}

Once we have created the four required lists, we will proceed to create the ABP:

New-AddressBookPolicy -Name ContosoABP -AddressLists ContosoAddressList -GlobalAddressList ContosoGAL -OfflineAddressBook ContosoOAB -RoomList ContosoResourceAddressList

And last of all, assign the recently created ABP to the desired users:

Get-User -Filter {userprincipalname -like *} | Set-Mailbox -AddressBookPolicy ContosoABP

If what we want is to assign the ABP to a specific user, simply run this CmdLet:

Set-Mailbox -AddressBookPolicy ContosoABP


Microsoft Spain Exchange support team blog (Thanks to Pablo García Merlo):

Microsoft TechNet:

The new Yammer APP for Windows

domingo, 19 de enero de 2014 Sin comentarios




Hi, it’s well known that Yammer as well is great for team collaboration in a social level, but is also known that one of the weaker points of Microsoft social platform either if it’s part of the Office365 suite or as a standalone plan, is their notification APPS.

Well, some days ago I received a mail from the Yammer product team on which they announce the end of the actual Windows APP based on  Adobe Air to give pass to the new Windows Notifier APP.

From my point of view, the only problem that had the Windows APP was that when you read a message or a thread on the APP, these weren’t synced with the web, I mean, if we read a message on the APP, and then, we enter some days later to the web, the messages were still on an unread status.

According to the mentioned E-Mail, this is being done because they don’t want the APP to be a replacement of the web, but a companion APP to notify about changes on conversations in real time so we can read on the web directly by clicking on the alert.

I decided to test it out and these were the results:

  • The installation was fast and easy.
  • The configuration represented no complication for basic users.


  • Once the APP was running, I observed that it limits Only to alert over the home network, what it means that if we have more than one network inside our Yammer (which is more common every day) we wont have any type of alert like we had on the old APP where we could select the network to work with.
  • Once read all the alerts and inbox messages on the web, passed a few seconds, the APP will update and remove the notifications.


  • It will show us alerts not only of the inbox messages, but also the all company messages and all group messages,  and not only as a visual notidication but also with a sound notification (something we didn’t had before).


In conclusion, we hope some features like alerts for multiple networks be part of the APP on a close future if what they pretend is to be a companion APP and not a replace of the web, so it will make sense for the many profiles that make use of multiple yammer networks with one account.

If you want to try it out you can download it from here:

PS: Enable RMS for Office365

sábado, 11 de enero de 2014 Sin comentarios



Many of you already know what Rights Management Services (RMS) can do for us on an AD environment under the ADRMS role, and also are up to date that Office365 integrates this as a feature on enterprise plans.

Well, there are some situations which you want to enable RMS on a tenant via GUI and just after clicking the activate now button, the process gets stuck with the following screen no matter how much time you leave it (normally it takes no much more than 2 minutes):


For all of those that are suffering the situation, you have an inmediate solution via PowerShell following these steps:

Import-Module AADRM

  • Connect to the service with Global Administrator credentials:

Connect-AadrmService -Verbose

  • Finally enable RMS:



This process shouldn’t last longer than 2 minutes, after then we can disconnect off the service with the following CmdLet:




PS: Configuring read receipts in Exchange Online

viernes, 3 de enero de 2014 Sin comentarios




Hi, today I’ll be bringing you a short but useful article for large orgs. Often we encounter with read receipts confirmations when we receive e-mails and many of the users reject them, what are the meaning of those then?, well if we can’t control external users from doing that, we can for our org users.

Of course we can do it via GUI either by OWA or by Outlook, but we have two inconvenients, one is that those settings will be applied only with client depending, and the other one is that is not operative to do it one by one on large orgs. So what happens when we have 300+ users? POWERSHELL!

To do so, we need to get our environment configured and once this is done, run the following CMDLET:

Set-MailboxMessageConfiguration -Identity -ReadReceiptResponse NeverSend

In this case we will be configuring the user to never send read receipt confirmations, but we can customize it replacing the «NeverSend» with the following options:

  • «DoNotAutomaticallySend»  To always ask for confirmations
  • «AlwaysSend» To always send confirmations
  • «NeverSend» To never send confirmations

But how do we apply this to all users? very simple, making use of the «|» to the command we want to preceed, i.e:

Get-User | Set-MailboxMessageConfiguration -ReadReceiptResponse AlwaysSend

To confirm that the value has been correctly applied, we can run the following:

Get-MailboxMessageConfiguration -Identity | fl ReadReceiptResponse


Migrate Office365 family plans easily

viernes, 27 de diciembre de 2013 Sin comentarios


Until now, we had to be really careful when choosing the right Office365 plan for our Org, because if we chose a P1 plan and later on we wanted to change to an E1 plan because of the need to, we would have to pass thru a hell setting up a new E1 subscription, create users, configure the environment again, add the domain, export one by one the users data to later on import them to the new subscription, etc…

Well, after so many time, Microsoft made possible the path to migrate different family plans (SKU) through the portal to another one greater than the one we have, without the need of any of the previous steps.

Of course there are some limitations when doing it and in resume, you cannot downgrade, only upgrade to a different plan.

If you want to learn some more about it, here’s a link from Microsoft on how to do it and the limitations that may exist:

APP: Service Health Dashboard for Office365

martes, 26 de noviembre de 2013 Sin comentarios



This utility is very simple as it only manages to notify and show the Office365 Administrator the Service Health of the service, if there´s an issue or if it´s been one, know the status, details and also acces the Post Incident Report (PIR).

Actually this APP is in B1 phase and only suuports the viewing of one tenant at a time, but in the future is expected to support «multi-tenancy» and integrate the support tickets for those Admins that manage more than one subscription ;). By the moment is only available for Windows Phone 8, but the plans are to be released for IOS and Android very soon. As a requisite, the account that needs to be used on the APP has to be at least a Service Admin or Global Admin.

Here are some screenshots of the APP for you to take a look:

wp_ss_20131126_0001 wp_ss_20131126_0002 wp_ss_20131126_0003 wp_ss_20131126_0004 wp_ss_20131126_0005 wp_ss_20131126_0006


As a final comment, this demonstrates that there´s an API to play with in Office365, but it´s inside Microsoft walls by the moment. ;).

Print and save Invoices inside Office365 Enterprise plans

martes, 19 de noviembre de 2013 Sin comentarios



One of the things that most persons ask at the Office365 forums is how to print and/or save invoices.

Well to do so, we must access our Office365 portal ( with our Global Admin or Billing Administrator credentials, click on «licensing» on the left side panel and then on «Billing»:


Select a date and click on «View».

We will then get a list of the subscriptions we have, click on «view details» of the desired subscription:


Finally click on «view invoice (.pdf) to open it on PDF format and be able to save it or print it.


Hope it helps…