Archivo

Archivo para la categoría ‘English Articles’

Force Outlook to connect to Office365 instead of Exchange On-Premise

martes, 29 de octubre de 2013 Sin comentarios

Cambiar-idioma-esp

o365

When we do a cutover migration, we encounter just after migrating all the content and configure the new profile in Microsoft Outlook, it autoconfigures itself directly with the On-Premise Exchange server.

Besides, if we make a ping to autodiscover.dominio.com, it will always resolve the local exchange server ip instead of the Office365 autodiscover, no matter if we add it to the hosts file, configure external DNS or even add the entry to the local DNS.

This is because Exchange 2010 presents the built-in functionality of autodiscover, and in order to the new profiles take effect of the new configuration needed, is necessary to do one of the two following steps:

1- Delete the Autodiscover virtual dir in IIS (at the local Exchange server):

  • Run the Exchange Management Shell
  • Execute the following commands

Remove-AutodiscoverVirtualDirectory -Identity «MyServer\autodiscover(autodiscover.contoso.com)»

Set-ClientAccessServer name -AutoDiscoverServiceInternalUri $null

  • Restart IIS running «IISRESET» command inside a Command Line Console

2- Add the following registry entries on the client machine:

  • Navigate to the path, if it´s Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover
  •  Navigate to the path, if it´s Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Autodiscover
  • Add the following values:

«PreferLocalXML»
«ExcludeHttpRedirect»
«ExcludeHttpsAutodiscoverDomain»
«ExcludeHttpsRootDomain”
«ExcludeScpLookup»
«ExcludeSrvLookup»
«ExcludeSrvRecord»
«PreferLocalXML»=dword:0
«ExcludeHttpRedirect»=dword:0
«ExcludeHttpsAutodiscoverDomain»=dword:0
«ExcludeHttpsRootDomain»=dword:1
«ExcludeScpLookup»=dword:1 (forces Outlook to exclude SCP object check)
«ExcludeSrvLookup»=dword:1
«ExcludeSrvRecord»=dword:1

  • Restart the machine and créate the new profile.

Search and Delete messages in Exchange Online between dates

domingo, 20 de octubre de 2013 Sin comentarios

 Cambiar-idioma-esp

 o365

 

A few days ago I recieved a question out of the usual: How to delete messages from a mailbox between two dates without the need of applying retention policies.

Of course, this can´t be done from any admin console, but it can be done from PowerShell keeping in mind the following requisites:

Once we met the requisites, connect to the office365 subscription with the following CmdLets:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

Finally, once inside run the following CmdLet:

Search-Mailbox usuario@dominio.com -SearchQuery «Received: $(‘mm/dd/yyyy’) and Received:< $(‘mm/dd/yyyy’)» -DeleteContent

This will Soft-Delete the content between these dates.

Hope you find this useful.

 

GuruXP Repository – August and September 2013

sábado, 5 de octubre de 2013 Sin comentarios

New Exchange Online Limits

viernes, 20 de septiembre de 2013 Sin comentarios

Cambiar-idioma-esp

  branding

It´s not a strange thing that one of the strongest points of Google Apps was the storage they provided to their users, and i said «was» and «provided» because few days ago Microsoft announced that all important Office365 services would increment their storage limit (double). One of the examples we find out is Skydrive Pro as the Sharepoint MVP Juan Carlos Gonzalez tells in his post, one of the stongest points when working with doc libraries in Sharepoint Online where we now get 25Gb of free storage (7Gb before), and also be able to increment it up to 100Gb buying the storage upgrade for the account.

Well, Sharepoint is not the only one, we also count with Exchange Online where we can highlight some points like the 50Gb of storage included on each personal mailbox (25Gb before), 10Gb per each shared mailbox without the need of assigning a license to it (5Gb before), and for the public folders we get nothing less than up to 2,50Tb with 50 public folders of 50Gb maximum each (yes, that’s a «T»).

In order to get things clearer, here’s a little table explaining how storage gets on Exchange Online:

 

091513_0920_Nuevoslimit1.jpg

P1=Small Business; M=Midsize Business; E=Enteprise; A=Education; G=Government; K=Kiosk; ExOl=Exchange Online Standalone

Of course there are a few things to keep in mind that still persists:

  • The archive size limit is shared with the personal mailbox.
  • The shared mailbox doesn’t need a license under 10Gb, but the users that need to access it do need one.
  • The users with an Exchange Online Kiosk, Office365 Enterprise Kiosk or Office365 Government Kiosk will not be able to access any shared mailboxes as limitation.
  • The resource mailboxes don’t need a license.

Hope it’s useful for many of you.

Hijacking Office365 sessions with “Dead” Cookies

lunes, 2 de septiembre de 2013 Sin comentarios

Cambiar-idioma-esp

o365

I’ve been investigating for some time the security that Microsoft Office365 platform is offering and what are the weak points that may be when working with our data on the cloud, analyzing the communications being carried out with the use of sniffers, different browsers and operating systems (including Windows 8.1) as a workstation role. So today I’ve found out an article about this that really got my attention written by Ms. Smith, attractive enough to put it to test right away.

Session Hijacking: The theory

Normally whenever we access a web service with some user and password, one or more cookies are stored in our PC, allowing the access to that web service without introducing the credentials again by saving them into it, so the system understands there’s no need to identify yourself again because you’ve already done so.

So what happens if someone gets his hands on those cookies? Well it’s simple, if the status of those cookies are alive, then he could make use of the users session inside that web service without needing not even a single password. A few popular examples of these are FireSheep in Tuenti, or Facebook Apps binary cookies. Besides the problem is when these cookies get the status of «dead» without being totally dead, leaving the session open even after the user is logged off the web service, as we saw in the famous LinkedIn cookies case. Well Microsoft’s Office365 is not an exception and can be hijacked with a stolen cookie even after the user has logged off.

Microsoft Office365 session hijacking: PoC

Following Ms. Smith article, I decided to use a Windows 7 workstation and install Google Chrome browser with the «Edit my cookie» plugin. Once installed I logged in to my Microsoft Office365 portal using Chrome:

 

Once I was inside, I clicked on the upper right cookie button and selected «Export Cookies«:

 

Then opened a notepad and pasted the info I’ve exported with the cookie info that holds the Microsoft Office365 session:

 

I saved it as a txt file on my desktop and logged off my Office365 session, until now that session should be killed already so even If a wanted to, I couldn’t access to my info again.

So I got another workstation running (this time with Windows 8.1) and pasted to the desktop the txt file:

 

I also installed on this machine the Google Chrome Browser and the «Edit my cookie» plugin, and browse to the Microsoft Office365 login page. Once I’ve got there, I clicked on the upper right cookie button and selected «Import cookies» and saved changes:

 

Once the process was done, y entered again the same Microsoft Office365 login page by retyping the URL on the address bar without closing the browser, and there it is! I got it to all my info, without entering a single letter of my password.

 

 

How to mitigate the cookie stealing inside Microsoft Office365:

Getting a Microsoft Office365 session cookie needs another combined attack, like accessing local files locally, cheating a user for getting into a Man in the Middle scheme or finding a client-side vulnerability that enables you to access the cookie. It’s not that easy but it’s possible though because of the behavior of the cookie as it should be killed totally when logging off to mitigate this problem. On Raul Siles article about Session Management Cheat-Sheet we can find some security measures that should be applied to session cookies.

Microsoft has confirmed they’re working on it to fortify security of sessions, but meanwhile make sure you’re cookies are not held by other hands, so I recommend to always clear your browser cache and make use of the Internet Explorers In-Private functionality (Ctrl+Shift+P) as this allows the no use of session cookies to be stored on the local PC.

 

Removing a domain name from Office365

domingo, 1 de septiembre de 2013 Sin comentarios

Cambiar-idioma-esp

o365

On todays post I’ll explain how to remove a domain name from an office365 subscription, either because you’re migrating to anoyher family plan, your trial subscription is about to end, or just because we’re not using the domain name anymore.

The first thing we must do is set the users that are using the domain name to use another domain name (the .onmicrosoft.com domain for example). This implies two things to check out: the login UPN suffix (whats on after the @ symbol), and the proxy addresses (also called aliases) assigned on each users email addresses tab inside their properties.

So how do we do it via GUI (Graphical User Interface)?:

  • Access our Office365 portal with Admin credentials.
  • Go to Users and Groups.
  • Select all the users we’re about to change and click on edit.
  • Go to Details, and on Domain select another one.

For proxy addresses, we’ll have to do it one by one editing the details and clicking on the more tab and then on edit exchange properties, go to the email addresses section and delete the ones with domain name that we’re willing to remove.

So how to do it via PowerShell?:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

  • Run the following to get the users that have the domain name we want to remove assigned:

Get-MsolUser -DomainName [Domain] | fl UserPrincipalName

  • Change the desired users with the following:

Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]

Once we’ve deleted the domain name from the users, we must do the same with distribution/security groups. To do so, we must access the Exchange Online Control Panel (if you have a small business plan, you must follow this article to access the ECP), clicking on the upper right side where it says «Admin» and then on «Exchange«, go to «groups» and edit each one of them under the «email addresses» section and delete the one containing the domain name we want to remove.

The same thing happens with shared mailboxes, site mailboxes and Lync Online users.

When we get done and checked out every single user containing the domain name to be deleted, we must click on the company name on the main screen of the Office365 portal and change the associated domain.

So, we’ve checked out users, distribution/security groups, shared mailboxes, site mailboxes, Lync Online users and the associated domain, now it’s the time when we can proceed to its deletion accessing the domains section inside the office365 portal, you just need to select the domain and delete it.

If we want to do this via PowerShell, this is what we need to run:

Remove-MsolDomain -Domain dominio.com

Iberian Sharepoint Conference

viernes, 23 de agosto de 2013 Sin comentarios

 Cambiar-idioma-esp

 

isclogo

Hey! I’m proud to announce i’ll be attending one of the wonderful sessions inside the intranet Iberian Sharepoint Conference that will take place in Madrid on October 10th. Conference i feel very proud of taking part of, due to such level of speakers that conforms it, speakers like Juan Carlos González, Alberto Diaz Martin, Peter Diaz, Adrian Diaz, Santiago Porras, Mario Cortés, Miguel Tabera, Jethro Seghers, Christian Buckley, and some others with a veeeeeery high level. If you’re not registered, i recommend you to do so, its price is not high at all compared to what other events of this type and level costs.

In concrete mi session named «Exchange Online and shared info» will be compounding the different types of shared info Exchange Online has to offer, Comparison between features with advantages and disadvantages, and how to implement and manage them, by GUI and PowerShell.

If you want to know more about the agenda, workshops and speakers, i invite you to visit the Iberian Sharepoint Conference website.

I hope to see you there.

Dynamic Distribution Groups in Exchange Online

viernes, 16 de agosto de 2013 Sin comentarios

ExchangeOnline

If just a few days ago i explained how to create and manage Distribution Groups under Exchange Online, now i come to do the same about Dynamic Distribution Groups under Exchange Online.

Definition and Functionality

Dynamic Distribution Groups are a functionality that allows to receive E-Mails under a virtual address and distribute them between their members, defining members to be the ones that meet one or more of the conditions we specify under the properties of the group according to values of the user properties.

An example of this would be a department like Office365 IT Support located at NY with one or more employees that have the need of forwarding all the E-mails sent to an address like o365.support.NY@contoso.com. Due that this department has fluent employees that come and go out of the company, it’s management could be more loaded than expected. To avoid this, Microsoft thought of a new functionality that could automatically add members located at the NY office and the Office365 IT support department.

With this functionality we will not only avoid configuring a POP account PC by PC, but also be able to assign permissions to users who want to send E-mails as the department address or on behalf of in difference to the Distribution Groups of other platforms, and also avoid high workload on the management area as it’s automatic.

Configuration through the Office365 Portal

– The first thing we have to do is access our Office365 portal (http://portal.microsoftonline.com). – Then we need to access the Exchange Control Panel or ECP clicking on the upper side of the screen where it says «Admin» and then on «Exchange». (Click here to access the ECP if you have a Small Business Plan).

dg1

– Once inside, click on «Groups».

dg2

– Click on the «+» Symbol and then where it says «Dynamic Distribution Group» – Set the properties of the group we want to create:

dyndg1

Display Name: this is the name it will appear on the Global Address List and also on the recipients as the Department.

Alias: this field is the identifier that the system will use to localize and identify this group.

Description: we can assign a short description of the use we’ll use the group for.

Owners: indicates who will have the permissions to make modifications over this group.

Members: here we will define who will form part of this group, allowing to receive all the messages sent to the virtual address, only if they meet the conditions we set below.

– Once you’ve created the group, we can define additional properties doing a double click on it.

The screens we will find are:

General, where we can define or edit options like Display Name, the SMTP address it will use, Description and something very important, the ability to hide the group from the Global Address List (GAL).

dyndg2

Ownership, where we can set the owners that can make modifications to the group, including the new member approvals.

esdg5

Membership, here we can set the members or recipients of the mails sent to the virtual address and the conditions they have to meet to be one of it.

dyndg4

Membership Approval, to set the permissions config to join or leave the group.

esdg7

Delivery Management, where we can set the senders that can send messages to this group. By default the selected option is set to «Only senders inside the organization», so if we want to receive messages from outside the organization we must select the other option where it says «Senders inside and outside of my organization». Also we can set specific members that can send to this group.

dyndg5

Message Approval, here we can set the message flow to moderate the messages in case we want to approve the received messages before distributing it to its members. We can also define the moderators we want and if we want to exclude from this rule certain senders in who we trust. Also have the possibility to notify the sender in case his message has been rejected.

 dyndg6

E-mail Options, from this section we can define one or various SMTP addresses to be used to receive using this group.

 dyndg7

Mailtip, we can also define the message that will appear to users inside our organization using Microsoft Outlook when selecting the group as recipient. For example a message indicating it can be a delay of two days for answering the message.

 dyndg8

Group Delegation, here we can assign permissions to «Send As» or «Send on Behalf Of» to users so they can send messages using the group as the sender.

 dyndg9

Configuration through PowerShell

– First of all we need to prepare our environment to connect with our Office365 subscription via PowerShell.

– Then we only need to run the following:

New-DynamicDistributionGroup -Name «Dynamic DG Name» -RecipientFilter {(RecipientType -eq ‘UserMailbox’) -and (Department –like <DeptName’>)}

– Set the group to allow messages to be received from outside and inside the org:

Set-DynamicDistributionGroup «Group Name» -RequireSenderAuthenticationEnabled $False

– Assign other owners of the group:

Set-DynamicDistributionGroup -Identity «Group Name» –ManagedBy user@company.com -BypassSecurityGroupManagerCheck

– Add additional SMTP addresses to the group:

Set-DynamicDistributionGroup «Group Name» -EmailAddresses SMTP: dept@company.com, alias@company.com

– Hide the group from the Global Address List (GAL):

Set-DynamicDistributionGroup «Group Name» -HiddenFromAddressListsEnabled $True

– Show members of a Dynamic Distribution Group:

$DDG = Get-DynamicDistributionGroup «Dynamic DG Name» Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter |ft alias

I hope you find this useful.

GuruXP Repository – July 2013

lunes, 5 de agosto de 2013 Sin comentarios

Exchange Online Distribution Groups

domingo, 4 de agosto de 2013 Sin comentarios

Definition and Functionality

Distribution Groups are a functionality that allows to receive E-Mails under a virtual address and distribute them between their members.

An example of this would be a department like sales with one or more employees that have the need of forwarding all the E-mails sent to an address like sales@contoso.com.

With this functionality we will not only avoid configuring a POP account PC by PC, but also be able to assign permissions to users who want to send E-mails as the department address or on behalf of in difference to the Distribution Groups of other platforms.

dgscheme

Configuration through the Office365 Portal

– The first thing we have to do is access our Office365 portal (http://portal.microsoftonline.com).
– Then we need to access the Exchange Control Panel or ECP clicking on the upper side of the screen where it says «Admin» and then on «Exchange». (Click here to access the ECP if you have a Small Business Plan).

dg1

– Once inside, click on «Groups».

dg2

– Click on the «+» Symbol and then where it says «Distribution Group» – Set the properties of the group we want to create:

esdg3Display Name: this is the name it will appear on the Global Address List and also on the recipients as the Department.

Alias: this field is the identifier that the system will use to localize and identify this group.

Description: we can assign a short description of the use we’ll use the group for.

Owners: indicates who will have the permissions to make modifications over this group.

Members: here we will define who will form part of this group, allowing to receive all the messages sent to the virtual address.

Joining approval permissions: we can define if the employees can join this group without any approval (open), they can be manually added by any owner without having the option to send a request (closed), or if the employees can send requests to join the group in order to be accepted or rejected by any owner of the group (Owner Approval).

Leave permissions: we can define if the members can leave the group without any permission or approval (open), or if it needs to be approved by any owner (closed).

– Once you’ve created the group, we can define additional properties doing a double click on it.

The screens we will find are:

General, where we can define or edit options like Display Name, the SMTP address it will use, Description and something very important, the ability to hide the group from the Global Address List (GAL).

esdg4

Ownership, where we can set the owners that can make modifications to the group, including the new member approvals.

esdg5

Membership, here we can set the members or recipients of the mails sent to the virtual address.

esdg6

Membership Approval, to set the permissions config to join or leave the group.

esdg7

Delivery Management, where we can set the senders that can send messages to this group. By default the selected option is set to «Only senders inside the organization», so if we want to receive messages from outside the organization we must select the other option where it says «Senders inside and outside of my organization». Also we can set specific members that can send to this group.

esdg8

Message Approval, here we can set the message flow to moderate the messages in case we want to approve the received messages before distributing it to its members. We can also define the moderators we want and if we want to exclude from this rule certain senders in who we trust. Also have the possibility to notify the sender in case his message has been rejected.

 esdg9

E-mail Options, from this section we can define one or various SMTP addresses to be used to receive using this group.

 esdg10

Mailtip, we can also define the message that will appear to users inside our organization using Microsoft Outlook when selecting the group as recipient. For example a message indicating it can be a delay of two days for answering the message.

 esdg11

Group Delegation, here we can assign permissions to «Send As» or «Send on Behalf Of» to users so they can send messages using the group as the sender.

 esdg12

Configuration through PowerShell

– First of all we need to prepare our environment to connect with our Office365 subscription via PowerShell.

– Then we only need to run the following:

New-DistributionGroup -Name «Group Name» -DisplayName «Display Name» -Alias «Group Alias» -PrimarySmtpAddress dept@company.com

– Add the members:

Add-DistributionGroupMember  «Group Name» -Member user@company.com -BypassSecurityGroupManagerCheck

– Set the group to allow messages to be received from outside and inside the org:

Set-DistributionGroup «Group Name» -RequireSenderAuthenticationEnabled $False

– Assign other owners of the group:

Set-DistributionGroup -Identity «Group Name» –ManagedBy user@company.com -BypassSecurityGroupManagerCheck

– Add additional SMTP addresses to the group:

Set-DistributionGroup «Group Name» -EmailAddresses SMTP: dept@company.com, alias@company.com

– Hide the group from the Global Address List (GAL):

Set-DistributionGroup «Group Name» -HiddenFromAddressListsEnabled $True

I hope you find this useful.