The GuruXP Blog

When we delete a user in Office365 this isn´t deleted as well because it gets sent to a recycle binfor 30 days (Soft-Delete). This can be good when we want to restore it with all the permissions, content and details, but what happens when the user John Smith leaves the company and some days further another user named Judy Smith gets incorporated to the company as well? If we would like to assign the new username following the org policy Initial.LastName (J.Smith) for example, we will encounter that Office365 will Return an error saying it cannot create the user because the username already exists.

To force the deletion of the user from the recycle bin, we must do it with the use of PowerShell.

To do so, we must get our environment prepared for PowerShell and Office365.

First we must signin to our Office365 subscription with the use of the following CmdLets:

$LiveCred = Get-Credential 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Import the Online Services module:

Import-Module MSOnline

Run the following CmdLet to get the ObjectId of the user to be deleted:

Get-MsolUser -All -ReturnDeletedUsers|select userprincipalname,objectid

Finally execute the purge of the desired user with the ObjectId obtained before:

Remove-MsolUser -ObjectId «objectid» -RemoveFromRecycleBin -Force

Hope it helps someone.

When we do a cutover migration, we encounter just after migrating all the content and configure the new profile in Microsoft Outlook, it autoconfigures itself directly with the On-Premise Exchange server.

Besides, if we make a ping to autodiscover.dominio.com, it will always resolve the local exchange server ip instead of the Office365 autodiscover, no matter if we add it to the hosts file, configure external DNS or even add the entry to the local DNS.

This is because Exchange 2010 presents the built-in functionality of autodiscover, and in order to the new profiles take effect of the new configuration needed, is necessary to do one of the two following steps:

1- Delete the Autodiscover virtual dir in IIS (at the local Exchange server):

• Run the Exchange Management Shell
• Execute the following commands

Remove-AutodiscoverVirtualDirectory -Identity «MyServer\autodiscover(autodiscover.contoso.com)»

Set-ClientAccessServer name -AutoDiscoverServiceInternalUri $null

• Restart IIS running «IISRESET» command inside a Command Line Console

2- Add the following registry entries on the client machine:

• Navigate to the path, if it´s Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover
•  Navigate to the path, if it´s Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Autodiscover
• Add the following values:

«PreferLocalXML»
«ExcludeHttpRedirect»
«ExcludeHttpsAutodiscoverDomain»
«ExcludeHttpsRootDomain”
«ExcludeScpLookup»
«ExcludeSrvLookup»
«ExcludeSrvRecord»
«PreferLocalXML»=dword:0
«ExcludeHttpRedirect»=dword:0
«ExcludeHttpsAutodiscoverDomain»=dword:0
«ExcludeHttpsRootDomain»=dword:1
«ExcludeScpLookup»=dword:1 (forces Outlook to exclude SCP object check)
«ExcludeSrvLookup»=dword:1
«ExcludeSrvRecord»=dword:1

• Restart the machine and créate the new profile.

A few days ago I recieved a question out of the usual: How to delete messages from a mailbox between two dates without the need of applying retention policies.

Of course, this can´t be done from any admin console, but it can be done from PowerShell keeping in mind the following requisites:

• Have our PowerShell environment correctly configured to connect our Office365 subscription.
• Make sure the user we use is a member of the Security Role «Discovery Management».
• Create a Security Role in Exchange Online (if don´t have it yet) that includes the «Mailbox Import Export» role.
• Make our user a member of this Role.

Once we met the requisites, connect to the office365 subscription with the following CmdLets:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

Finally, once inside run the following CmdLet:

Search-Mailbox usuario@dominio.com -SearchQuery «Received: $(‘mm/dd/yyyy’) and Received:< $(‘mm/dd/yyyy’)» -DeleteContent

This will Soft-Delete the content between these dates.

Hope you find this useful.

It´s not a strange thing that one of the strongest points of Google Apps was the storage they provided to their users, and i said «was» and «provided» because few days ago Microsoft announced that all important Office365 services would increment their storage limit (double). One of the examples we find out is Skydrive Pro as the Sharepoint MVP Juan Carlos Gonzalez tells in his post, one of the stongest points when working with doc libraries in Sharepoint Online where we now get 25Gb of free storage (7Gb before), and also be able to increment it up to 100Gb buying the storage upgrade for the account.

Well, Sharepoint is not the only one, we also count with Exchange Online where we can highlight some points like the 50Gb of storage included on each personal mailbox (25Gb before), 10Gb per each shared mailbox without the need of assigning a license to it (5Gb before), and for the public folders we get nothing less than up to 2,50Tb with 50 public folders of 50Gb maximum each (yes, that’s a «T»).

In order to get things clearer, here’s a little table explaining how storage gets on Exchange Online:

P1=Small Business; M=Midsize Business; E=Enteprise; A=Education; G=Government; K=Kiosk; ExOl=Exchange Online Standalone

Of course there are a few things to keep in mind that still persists:

• The archive size limit is shared with the personal mailbox.
• The shared mailbox doesn’t need a license under 10Gb, but the users that need to access it do need one.
• The users with an Exchange Online Kiosk, Office365 Enterprise Kiosk or Office365 Government Kiosk will not be able to access any shared mailboxes as limitation.
• The resource mailboxes don’t need a license.

Hope it’s useful for many of you.

I’ve been investigating for some time the security that Microsoft Office365 platform is offering and what are the weak points that may be when working with our data on the cloud, analyzing the communications being carried out with the use of sniffers, different browsers and operating systems (including Windows 8.1) as a workstation role. So today I’ve found out an article about this that really got my attention written by Ms. Smith, attractive enough to put it to test right away.

Session Hijacking: The theory

Normally whenever we access a web service with some user and password, one or more cookies are stored in our PC, allowing the access to that web service without introducing the credentials again by saving them into it, so the system understands there’s no need to identify yourself again because you’ve already done so.

So what happens if someone gets his hands on those cookies? Well it’s simple, if the status of those cookies are alive, then he could make use of the users session inside that web service without needing not even a single password. A few popular examples of these are FireSheep in Tuenti, or Facebook Apps binary cookies. Besides the problem is when these cookies get the status of «dead» without being totally dead, leaving the session open even after the user is logged off the web service, as we saw in the famous LinkedIn cookies case. Well Microsoft’s Office365 is not an exception and can be hijacked with a stolen cookie even after the user has logged off.

Microsoft Office365 session hijacking: PoC

Following Ms. Smith article, I decided to use a Windows 7 workstation and install Google Chrome browser with the «Edit my cookie» plugin. Once installed I logged in to my Microsoft Office365 portal using Chrome:

Once I was inside, I clicked on the upper right cookie button and selected «Export Cookies«:

Then opened a notepad and pasted the info I’ve exported with the cookie info that holds the Microsoft Office365 session:

I saved it as a txt file on my desktop and logged off my Office365 session, until now that session should be killed already so even If a wanted to, I couldn’t access to my info again.

So I got another workstation running (this time with Windows 8.1) and pasted to the desktop the txt file:

I also installed on this machine the Google Chrome Browser and the «Edit my cookie» plugin, and browse to the Microsoft Office365 login page. Once I’ve got there, I clicked on the upper right cookie button and selected «Import cookies» and saved changes:

Once the process was done, y entered again the same Microsoft Office365 login page by retyping the URL on the address bar without closing the browser, and there it is! I got it to all my info, without entering a single letter of my password.

How to mitigate the cookie stealing inside Microsoft Office365:

Getting a Microsoft Office365 session cookie needs another combined attack, like accessing local files locally, cheating a user for getting into a Man in the Middle scheme or finding a client-side vulnerability that enables you to access the cookie. It’s not that easy but it’s possible though because of the behavior of the cookie as it should be killed totally when logging off to mitigate this problem. On Raul Siles article about Session Management Cheat-Sheet we can find some security measures that should be applied to session cookies.

Microsoft has confirmed they’re working on it to fortify security of sessions, but meanwhile make sure you’re cookies are not held by other hands, so I recommend to always clear your browser cache and make use of the Internet Explorers In-Private functionality (Ctrl+Shift+P) as this allows the no use of session cookies to be stored on the local PC.

On todays post I’ll explain how to remove a domain name from an office365 subscription, either because you’re migrating to anoyher family plan, your trial subscription is about to end, or just because we’re not using the domain name anymore.

The first thing we must do is set the users that are using the domain name to use another domain name (the .onmicrosoft.com domain for example). This implies two things to check out: the login UPN suffix (whats on after the @ symbol), and the proxy addresses (also called aliases) assigned on each users email addresses tab inside their properties.

So how do we do it via GUI (Graphical User Interface)?:

• Access our Office365 portal with Admin credentials.
• Go to Users and Groups.
• Select all the users we’re about to change and click on edit.
• Go to Details, and on Domain select another one.

For proxy addresses, we’ll have to do it one by one editing the details and clicking on the more tab and then on edit exchange properties, go to the email addresses section and delete the ones with domain name that we’re willing to remove.

So how to do it via PowerShell?:

• First of all, we need to get our environment ready for the use of PowerShell with Office365.
• Then we need to connect to our Office365 subscription with the following cmdlets:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

• Run the following to get the users that have the domain name we want to remove assigned:

Get-MsolUser -DomainName [Domain] | fl UserPrincipalName

• Change the desired users with the following:

Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]

Once we’ve deleted the domain name from the users, we must do the same with distribution/security groups. To do so, we must access the Exchange Online Control Panel (if you have a small business plan, you must follow this article to access the ECP), clicking on the upper right side where it says «Admin» and then on «Exchange«, go to «groups» and edit each one of them under the «email addresses» section and delete the one containing the domain name we want to remove.

The same thing happens with shared mailboxes, site mailboxes and Lync Online users.

When we get done and checked out every single user containing the domain name to be deleted, we must click on the company name on the main screen of the Office365 portal and change the associated domain.

So, we’ve checked out users, distribution/security groups, shared mailboxes, site mailboxes, Lync Online users and the associated domain, now it’s the time when we can proceed to its deletion accessing the domains section inside the office365 portal, you just need to select the domain and delete it.

If we want to do this via PowerShell, this is what we need to run:

Remove-MsolDomain -Domain dominio.com

If just a few days ago i explained how to create and manage Distribution Groups under Exchange Online, now i come to do the same about Dynamic Distribution Groups under Exchange Online.

Definition and Functionality

Dynamic Distribution Groups are a functionality that allows to receive E-Mails under a virtual address and distribute them between their members, defining members to be the ones that meet one or more of the conditions we specify under the properties of the group according to values of the user properties.

An example of this would be a department like Office365 IT Support located at NY with one or more employees that have the need of forwarding all the E-mails sent to an address like o365.support.NY@contoso.com. Due that this department has fluent employees that come and go out of the company, it’s management could be more loaded than expected. To avoid this, Microsoft thought of a new functionality that could automatically add members located at the NY office and the Office365 IT support department.

With this functionality we will not only avoid configuring a POP account PC by PC, but also be able to assign permissions to users who want to send E-mails as the department address or on behalf of in difference to the Distribution Groups of other platforms, and also avoid high workload on the management area as it’s automatic.

Configuration through the Office365 Portal

– The first thing we have to do is access our Office365 portal (http://portal.microsoftonline.com). – Then we need to access the Exchange Control Panel or ECP clicking on the upper side of the screen where it says «Admin» and then on «Exchange». (Click here to access the ECP if you have a Small Business Plan).

– Once inside, click on «Groups».

– Click on the «+» Symbol and then where it says «Dynamic Distribution Group» – Set the properties of the group we want to create:

Display Name: this is the name it will appear on the Global Address List and also on the recipients as the Department.

Alias: this field is the identifier that the system will use to localize and identify this group.

Description: we can assign a short description of the use we’ll use the group for.

Owners: indicates who will have the permissions to make modifications over this group.

Members: here we will define who will form part of this group, allowing to receive all the messages sent to the virtual address, only if they meet the conditions we set below.

– Once you’ve created the group, we can define additional properties doing a double click on it.

The screens we will find are:

General, where we can define or edit options like Display Name, the SMTP address it will use, Description and something very important, the ability to hide the group from the Global Address List (GAL).

Ownership, where we can set the owners that can make modifications to the group, including the new member approvals.

Membership, here we can set the members or recipients of the mails sent to the virtual address and the conditions they have to meet to be one of it.

Membership Approval, to set the permissions config to join or leave the group.

Delivery Management, where we can set the senders that can send messages to this group. By default the selected option is set to «Only senders inside the organization», so if we want to receive messages from outside the organization we must select the other option where it says «Senders inside and outside of my organization». Also we can set specific members that can send to this group.

Message Approval, here we can set the message flow to moderate the messages in case we want to approve the received messages before distributing it to its members. We can also define the moderators we want and if we want to exclude from this rule certain senders in who we trust. Also have the possibility to notify the sender in case his message has been rejected.

E-mail Options, from this section we can define one or various SMTP addresses to be used to receive using this group.

Mailtip, we can also define the message that will appear to users inside our organization using Microsoft Outlook when selecting the group as recipient. For example a message indicating it can be a delay of two days for answering the message.

Group Delegation, here we can assign permissions to «Send As» or «Send on Behalf Of» to users so they can send messages using the group as the sender.

Configuration through PowerShell

– First of all we need to prepare our environment to connect with our Office365 subscription via PowerShell.

– Then we only need to run the following:

New-DynamicDistributionGroup -Name «Dynamic DG Name» -RecipientFilter {(RecipientType -eq ‘UserMailbox’) -and (Department –like <DeptName’>)}

– Set the group to allow messages to be received from outside and inside the org:

Set-DynamicDistributionGroup «Group Name» -RequireSenderAuthenticationEnabled $False

– Assign other owners of the group:

Set-DynamicDistributionGroup -Identity «Group Name» –ManagedBy user@company.com -BypassSecurityGroupManagerCheck

– Add additional SMTP addresses to the group:

Set-DynamicDistributionGroup «Group Name» -EmailAddresses SMTP: dept@company.com, alias@company.com

– Hide the group from the Global Address List (GAL):

Set-DynamicDistributionGroup «Group Name» -HiddenFromAddressListsEnabled $True

– Show members of a Dynamic Distribution Group:

$DDG = Get-DynamicDistributionGroup «Dynamic DG Name» Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter |ft alias

I hope you find this useful.

Definition and Functionality

Distribution Groups are a functionality that allows to receive E-Mails under a virtual address and distribute them between their members.

An example of this would be a department like sales with one or more employees that have the need of forwarding all the E-mails sent to an address like sales@contoso.com.

With this functionality we will not only avoid configuring a POP account PC by PC, but also be able to assign permissions to users who want to send E-mails as the department address or on behalf of in difference to the Distribution Groups of other platforms.

Configuration through the Office365 Portal

– The first thing we have to do is access our Office365 portal (http://portal.microsoftonline.com).
– Then we need to access the Exchange Control Panel or ECP clicking on the upper side of the screen where it says «Admin» and then on «Exchange». (Click here to access the ECP if you have a Small Business Plan).

– Once inside, click on «Groups».

– Click on the «+» Symbol and then where it says «Distribution Group» – Set the properties of the group we want to create:

Display Name: this is the name it will appear on the Global Address List and also on the recipients as the Department.

Alias: this field is the identifier that the system will use to localize and identify this group.

Description: we can assign a short description of the use we’ll use the group for.

Owners: indicates who will have the permissions to make modifications over this group.

Members: here we will define who will form part of this group, allowing to receive all the messages sent to the virtual address.

Joining approval permissions: we can define if the employees can join this group without any approval (open), they can be manually added by any owner without having the option to send a request (closed), or if the employees can send requests to join the group in order to be accepted or rejected by any owner of the group (Owner Approval).

Leave permissions: we can define if the members can leave the group without any permission or approval (open), or if it needs to be approved by any owner (closed).

– Once you’ve created the group, we can define additional properties doing a double click on it.

The screens we will find are:

General, where we can define or edit options like Display Name, the SMTP address it will use, Description and something very important, the ability to hide the group from the Global Address List (GAL).

Ownership, where we can set the owners that can make modifications to the group, including the new member approvals.

Membership, here we can set the members or recipients of the mails sent to the virtual address.

Membership Approval, to set the permissions config to join or leave the group.

Delivery Management, where we can set the senders that can send messages to this group. By default the selected option is set to «Only senders inside the organization», so if we want to receive messages from outside the organization we must select the other option where it says «Senders inside and outside of my organization». Also we can set specific members that can send to this group.

Message Approval, here we can set the message flow to moderate the messages in case we want to approve the received messages before distributing it to its members. We can also define the moderators we want and if we want to exclude from this rule certain senders in who we trust. Also have the possibility to notify the sender in case his message has been rejected.

E-mail Options, from this section we can define one or various SMTP addresses to be used to receive using this group.

Mailtip, we can also define the message that will appear to users inside our organization using Microsoft Outlook when selecting the group as recipient. For example a message indicating it can be a delay of two days for answering the message.

Group Delegation, here we can assign permissions to «Send As» or «Send on Behalf Of» to users so they can send messages using the group as the sender.

Configuration through PowerShell

– First of all we need to prepare our environment to connect with our Office365 subscription via PowerShell.

– Then we only need to run the following:

New-DistributionGroup -Name «Group Name» -DisplayName «Display Name» -Alias «Group Alias» -PrimarySmtpAddress dept@company.com

– Add the members:

Add-DistributionGroupMember  «Group Name» -Member user@company.com -BypassSecurityGroupManagerCheck

– Set the group to allow messages to be received from outside and inside the org:

Set-DistributionGroup «Group Name» -RequireSenderAuthenticationEnabled $False

– Assign other owners of the group:

Set-DistributionGroup -Identity «Group Name» –ManagedBy user@company.com -BypassSecurityGroupManagerCheck

– Add additional SMTP addresses to the group:

Set-DistributionGroup «Group Name» -EmailAddresses SMTP: dept@company.com, alias@company.com

– Hide the group from the Global Address List (GAL):

Set-DistributionGroup «Group Name» -HiddenFromAddressListsEnabled $True

I hope you find this useful.

Hi, today I wont be bringing you any kind of tutorial or nothing by the style, but a tool that I discovered that I find very very interesting. It’s a tool as a service that will let us access complete predefined reports on the way of our Office365 subscription.

This tool is called COGMOTIVE .

Office365 native reports are just few and of course we can generate limited custom reports with PowerShell but we really would like more in detail reports like a forwarding enabled users without the need of PowerShell Cmdlets.

Well Cogmotive brings us many possibilities without being pendant of custom scripts being launched to get the detailed info and when needed.

When we first enter our Cogmotive account (free for subscriptions up to 25 users by the way) we’ll find a Dashboard with all the relevant data of our Office365 subscription.

And just on the left side all the reports we have available without any configuration (including the new ones that they constantly incorporate).

Its use is simple and shows the info without having any experience with PowerShell. There’s no need to install anything anywhere and the first time config is fast and simple. This process has two modes: automatic (for those who don’t want to complicate theirselves), and the manual mode (for curious like me).

Some of the reports that I’ve found interesting are:

Shared mailboxes size report

Mailbox size over time report

Users with Email forwarding enabled report

Users with mobile devices and their OS report

Security applied to mailboxes report

Assigned licenses inside the org report

Also we have the option to create, generate, export and also schedule custom reports to be e-mailed on a PDF or CSV format.

On the security side, the established session is via https but also incorporates the two factor authentication option to be used with the Microsoft Authenticator App.

Prices? See them by yourselves:

In conclusion, we can define a very large list of pros, but only two cons:

-the first one (just to be named as a defect), it’s only on English…

-the second one and a very important one, the account that needs to be created on the initial startup to be used as the reports service needs to be a member of the View-Only organization management (logic and necessary) and the HelpDesk Administrators role, this last role allows their members to reset non admin user passwords.

In my case i did the manual initial startup and when it came the part to add the user to the roles, i skipped the Helpdesk Administrator role and it works perfectly.

So my recommendation is that as is a simple, complete, reliable and free product for up to 25 users, it’s a must be in our Office365 subscription, at least to try out.

Until next post!

Hi, it just being announced the new Outlook Web App APP for iOS devices including iPhone and iPad where we can get the best of two worlds (let’s not cheat ourselves, iOS native mail app isn’t as good as it should be) letting us take the advantages of the aoutlook Web App rich client.

So why wait? Let’s test it out!:

IPhone: https://itunes.apple.com/us/app/owa-for-iphone/id659503543

IPad: https://itunes.apple.com/us/app/owa-for-ipad/id659524331

Saludos!