Archivo para la categoría ‘Powershell’

GAL Segregation

sábado, 8 de febrero de 2014 Sin comentarios




Hi!, todays post will be covering something that the education and enterprises normaly ask for, it´s the GAL segregation on a Exchange Online environment.

So, what is the GAL segregation for? well, a very good example would be a university with 300.000 users and the teachers don’t want to be visible from the student side or viceversa.

Another example would be a recently adquired company and the source wants to integrate the email system but don’t want the recently bought to be able to see each other on the Global Address List. (here you can see an explanation on how Address Book Policies work:

Well, this was posible before on an on-premises environment but what about Exchange Online?, now is is!. One of the things we need to keep in mind is that in order for this to work fine, we will have to base on the details fields of eah user. On this guide I will be using the «Company» field so I can use the second example I proposed before.

First of all we will have to assign the «Address Lists» role to the «Organization Management» Administrator role and be able to work with the CmdLets we need:

  •  Access our Office365 portal.
  • Click on «Admin» and then on «Exchange» to enter the EAC
  • Click on «Permissions» and then on «admin Roles«
  • Double-click «Organization Management» and add «Address Lists» using the «+» button from the list.
  • SAVE

Then we’ll need to prepare our powershell environement in order to connect to Exchange Online.

Once we’re connected, we will search for users that have the UPN suffix inside their UserPrincipalName and assign the «Contoso Ltd.» value on the Company field of the user detailes with the following CmdLet:

  Get-User -Filter {userprincipalname -like «*«} | Set-User -company «Contoso Ltd.»

Now we have to create the four address lists that the ABP uses.

Creating the GAL:

New-GlobalAddressList -name ContosoGAL -RecipientFilter {(recipienttype -eq «usermailbox») -and (Company -eq «Contoso Ltd.»)}

Creating the Address List:

New-AddressList -name ContosoAddressList -RecipientFilter {(recipienttype -eq «usermailbox») -and (Company -eq «Contoso Ltd.»)}

Creating the OAB:

New-OfflineAddressBook -name ContosoOAB -AddressList ContosoAddressList

Creating the Resource List:

New-AddressList -name ContosoResourceAddressList -RecipientFilter {(recipientdisplaytype -eq «conferenceroommailbox») -and (Company -eq «Contoso Ltd.»)}

Once we have created the four required lists, we will proceed to create the ABP:

New-AddressBookPolicy -Name ContosoABP -AddressLists ContosoAddressList -GlobalAddressList ContosoGAL -OfflineAddressBook ContosoOAB -RoomList ContosoResourceAddressList

And last of all, assign the recently created ABP to the desired users:

Get-User -Filter {userprincipalname -like *} | Set-Mailbox -AddressBookPolicy ContosoABP

If what we want is to assign the ABP to a specific user, simply run this CmdLet:

Set-Mailbox -AddressBookPolicy ContosoABP


Microsoft Spain Exchange support team blog (Thanks to Pablo García Merlo):

Microsoft TechNet:

PS: Enable RMS for Office365

sábado, 11 de enero de 2014 Sin comentarios



Many of you already know what Rights Management Services (RMS) can do for us on an AD environment under the ADRMS role, and also are up to date that Office365 integrates this as a feature on enterprise plans.

Well, there are some situations which you want to enable RMS on a tenant via GUI and just after clicking the activate now button, the process gets stuck with the following screen no matter how much time you leave it (normally it takes no much more than 2 minutes):


For all of those that are suffering the situation, you have an inmediate solution via PowerShell following these steps:

Import-Module AADRM

  • Connect to the service with Global Administrator credentials:

Connect-AadrmService -Verbose

  • Finally enable RMS:



This process shouldn’t last longer than 2 minutes, after then we can disconnect off the service with the following CmdLet:




PS: Configuring read receipts in Exchange Online

viernes, 3 de enero de 2014 Sin comentarios




Hi, today I’ll be bringing you a short but useful article for large orgs. Often we encounter with read receipts confirmations when we receive e-mails and many of the users reject them, what are the meaning of those then?, well if we can’t control external users from doing that, we can for our org users.

Of course we can do it via GUI either by OWA or by Outlook, but we have two inconvenients, one is that those settings will be applied only with client depending, and the other one is that is not operative to do it one by one on large orgs. So what happens when we have 300+ users? POWERSHELL!

To do so, we need to get our environment configured and once this is done, run the following CMDLET:

Set-MailboxMessageConfiguration -Identity -ReadReceiptResponse NeverSend

In this case we will be configuring the user to never send read receipt confirmations, but we can customize it replacing the «NeverSend» with the following options:

  • «DoNotAutomaticallySend»  To always ask for confirmations
  • «AlwaysSend» To always send confirmations
  • «NeverSend» To never send confirmations

But how do we apply this to all users? very simple, making use of the «|» to the command we want to preceed, i.e:

Get-User | Set-MailboxMessageConfiguration -ReadReceiptResponse AlwaysSend

To confirm that the value has been correctly applied, we can run the following:

Get-MailboxMessageConfiguration -Identity | fl ReadReceiptResponse


Purge deleted users in Office365

miércoles, 6 de noviembre de 2013 Sin comentarios



When we delete a user in Office365 this isn´t deleted as well because it gets sent to a recycle binfor 30 days (Soft-Delete). This can be good when we want to restore it with all the permissions, content and details, but what happens when the user John Smith leaves the company and some days further another user named Judy Smith gets incorporated to the company as well? If we would like to assign the new username following the org policy Initial.LastName (J.Smith) for example, we will encounter that Office365 will Return an error saying it cannot create the user because the username already exists.

To force the deletion of the user from the recycle bin, we must do it with the use of PowerShell.

To do so, we must get our environment prepared for PowerShell and Office365.

First we must signin to our Office365 subscription with the use of the following CmdLets:

$LiveCred = Get-Credential 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Import the Online Services module:

Import-Module MSOnline


Run the following CmdLet to get the ObjectId of the user to be deleted:

Get-MsolUser -All -ReturnDeletedUsers|select userprincipalname,objectid

Finally execute the purge of the desired user with the ObjectId obtained before:

Remove-MsolUser -ObjectId «objectid» -RemoveFromRecycleBin -Force


Hope it helps someone.



Force Outlook to connect to Office365 instead of Exchange On-Premise

martes, 29 de octubre de 2013 Sin comentarios



When we do a cutover migration, we encounter just after migrating all the content and configure the new profile in Microsoft Outlook, it autoconfigures itself directly with the On-Premise Exchange server.

Besides, if we make a ping to, it will always resolve the local exchange server ip instead of the Office365 autodiscover, no matter if we add it to the hosts file, configure external DNS or even add the entry to the local DNS.

This is because Exchange 2010 presents the built-in functionality of autodiscover, and in order to the new profiles take effect of the new configuration needed, is necessary to do one of the two following steps:

1- Delete the Autodiscover virtual dir in IIS (at the local Exchange server):

  • Run the Exchange Management Shell
  • Execute the following commands

Remove-AutodiscoverVirtualDirectory -Identity «MyServer\autodiscover(»

Set-ClientAccessServer name -AutoDiscoverServiceInternalUri $null

  • Restart IIS running «IISRESET» command inside a Command Line Console

2- Add the following registry entries on the client machine:

  • Navigate to the path, if it´s Outlook 2007: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover
  •  Navigate to the path, if it´s Outlook 2010: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Autodiscover
  • Add the following values:

«ExcludeScpLookup»=dword:1 (forces Outlook to exclude SCP object check)

  • Restart the machine and créate the new profile.

Search and Delete messages in Exchange Online between dates

domingo, 20 de octubre de 2013 Sin comentarios




A few days ago I recieved a question out of the usual: How to delete messages from a mailbox between two dates without the need of applying retention policies.

Of course, this can´t be done from any admin console, but it can be done from PowerShell keeping in mind the following requisites:

Once we met the requisites, connect to the office365 subscription with the following CmdLets:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

Finally, once inside run the following CmdLet:

Search-Mailbox -SearchQuery «Received: $(‘mm/dd/yyyy’) and Received:< $(‘mm/dd/yyyy’)» -DeleteContent

This will Soft-Delete the content between these dates.

Hope you find this useful.


Removing a domain name from Office365

domingo, 1 de septiembre de 2013 Sin comentarios



On todays post I’ll explain how to remove a domain name from an office365 subscription, either because you’re migrating to anoyher family plan, your trial subscription is about to end, or just because we’re not using the domain name anymore.

The first thing we must do is set the users that are using the domain name to use another domain name (the domain for example). This implies two things to check out: the login UPN suffix (whats on after the @ symbol), and the proxy addresses (also called aliases) assigned on each users email addresses tab inside their properties.

So how do we do it via GUI (Graphical User Interface)?:

  • Access our Office365 portal with Admin credentials.
  • Go to Users and Groups.
  • Select all the users we’re about to change and click on edit.
  • Go to Details, and on Domain select another one.

For proxy addresses, we’ll have to do it one by one editing the details and clicking on the more tab and then on edit exchange properties, go to the email addresses section and delete the ones with domain name that we’re willing to remove.

So how to do it via PowerShell?:

$LIveCred = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LIveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

  • Run the following to get the users that have the domain name we want to remove assigned:

Get-MsolUser -DomainName [Domain] | fl UserPrincipalName

  • Change the desired users with the following:

Set-MsolUserPrincipalName -UserPrincipalName [CurrentUPN] -NewUserPrincipalName [NewUPN]

Once we’ve deleted the domain name from the users, we must do the same with distribution/security groups. To do so, we must access the Exchange Online Control Panel (if you have a small business plan, you must follow this article to access the ECP), clicking on the upper right side where it says «Admin» and then on «Exchange«, go to «groups» and edit each one of them under the «email addresses» section and delete the one containing the domain name we want to remove.

The same thing happens with shared mailboxes, site mailboxes and Lync Online users.

When we get done and checked out every single user containing the domain name to be deleted, we must click on the company name on the main screen of the Office365 portal and change the associated domain.

So, we’ve checked out users, distribution/security groups, shared mailboxes, site mailboxes, Lync Online users and the associated domain, now it’s the time when we can proceed to its deletion accessing the domains section inside the office365 portal, you just need to select the domain and delete it.

If we want to do this via PowerShell, this is what we need to run:

Remove-MsolDomain -Domain

Dynamic Distribution Groups in Exchange Online

viernes, 16 de agosto de 2013 Sin comentarios


If just a few days ago i explained how to create and manage Distribution Groups under Exchange Online, now i come to do the same about Dynamic Distribution Groups under Exchange Online.

Definition and Functionality

Dynamic Distribution Groups are a functionality that allows to receive E-Mails under a virtual address and distribute them between their members, defining members to be the ones that meet one or more of the conditions we specify under the properties of the group according to values of the user properties.

An example of this would be a department like Office365 IT Support located at NY with one or more employees that have the need of forwarding all the E-mails sent to an address like Due that this department has fluent employees that come and go out of the company, it’s management could be more loaded than expected. To avoid this, Microsoft thought of a new functionality that could automatically add members located at the NY office and the Office365 IT support department.

With this functionality we will not only avoid configuring a POP account PC by PC, but also be able to assign permissions to users who want to send E-mails as the department address or on behalf of in difference to the Distribution Groups of other platforms, and also avoid high workload on the management area as it’s automatic.

Configuration through the Office365 Portal

– The first thing we have to do is access our Office365 portal ( – Then we need to access the Exchange Control Panel or ECP clicking on the upper side of the screen where it says «Admin» and then on «Exchange». (Click here to access the ECP if you have a Small Business Plan).


– Once inside, click on «Groups».


– Click on the «+» Symbol and then where it says «Dynamic Distribution Group» – Set the properties of the group we want to create:


Display Name: this is the name it will appear on the Global Address List and also on the recipients as the Department.

Alias: this field is the identifier that the system will use to localize and identify this group.

Description: we can assign a short description of the use we’ll use the group for.

Owners: indicates who will have the permissions to make modifications over this group.

Members: here we will define who will form part of this group, allowing to receive all the messages sent to the virtual address, only if they meet the conditions we set below.

– Once you’ve created the group, we can define additional properties doing a double click on it.

The screens we will find are:

General, where we can define or edit options like Display Name, the SMTP address it will use, Description and something very important, the ability to hide the group from the Global Address List (GAL).


Ownership, where we can set the owners that can make modifications to the group, including the new member approvals.


Membership, here we can set the members or recipients of the mails sent to the virtual address and the conditions they have to meet to be one of it.


Membership Approval, to set the permissions config to join or leave the group.


Delivery Management, where we can set the senders that can send messages to this group. By default the selected option is set to «Only senders inside the organization», so if we want to receive messages from outside the organization we must select the other option where it says «Senders inside and outside of my organization». Also we can set specific members that can send to this group.


Message Approval, here we can set the message flow to moderate the messages in case we want to approve the received messages before distributing it to its members. We can also define the moderators we want and if we want to exclude from this rule certain senders in who we trust. Also have the possibility to notify the sender in case his message has been rejected.


E-mail Options, from this section we can define one or various SMTP addresses to be used to receive using this group.


Mailtip, we can also define the message that will appear to users inside our organization using Microsoft Outlook when selecting the group as recipient. For example a message indicating it can be a delay of two days for answering the message.


Group Delegation, here we can assign permissions to «Send As» or «Send on Behalf Of» to users so they can send messages using the group as the sender.


Configuration through PowerShell

– First of all we need to prepare our environment to connect with our Office365 subscription via PowerShell.

– Then we only need to run the following:

New-DynamicDistributionGroup -Name «Dynamic DG Name» -RecipientFilter {(RecipientType -eq ‘UserMailbox’) -and (Department –like <DeptName’>)}

– Set the group to allow messages to be received from outside and inside the org:

Set-DynamicDistributionGroup «Group Name» -RequireSenderAuthenticationEnabled $False

– Assign other owners of the group:

Set-DynamicDistributionGroup -Identity «Group Name» –ManagedBy -BypassSecurityGroupManagerCheck

– Add additional SMTP addresses to the group:

Set-DynamicDistributionGroup «Group Name» -EmailAddresses SMTP:,

– Hide the group from the Global Address List (GAL):

Set-DynamicDistributionGroup «Group Name» -HiddenFromAddressListsEnabled $True

– Show members of a Dynamic Distribution Group:

$DDG = Get-DynamicDistributionGroup «Dynamic DG Name» Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter |ft alias

I hope you find this useful.

Tip: PowerShell interactive for Office365

lunes, 15 de julio de 2013 Sin comentarios

Hi, today i´ll bring you a little tip when working with PowerShell to be made easy and friendly for those who aren’t comfortable with it or don’t want to remember arguments and other stuff when working with Office365. It’s no other thing than the «Out-GridView» modifier. This modifier is not something from out of this world but many people have already asked for something to make PowerShell working a bit easier and enables you to work a bit more GUI and less text based with Cmdlets without the need of remembering arguments and options for each CmdLet letting filter the info with just a few mouse clicks.

For Example, if we run the following CmdLet «Get-Mailbox | Out-GridView» we’ll obtain a list of mailboxes of our Org, including the assigned server for each user, identifier and assigned quota.

If we use it in combination with some other modifiers and/or arguments we can extend the info and play with it adding some filters on screen getting a clear view of what we want. For example on the following sreenshot we’ve run the CmdLet «Get-MsolUser | Get-Member | Out-GridView«:


Hope you find it useful.

Mail Forwarding on Office365 with PowerShell

viernes, 7 de junio de 2013 Sin comentarios


One of Exchange Online functionalities as part of the Office365 suite is the ability to forward mails to another mailbox or smtp address quick and easy using the users Office365 portal. Besides, what happens when you have to do it as an admin on 500 users at a time? it results tedious right?.

well, we can do this quickly with the help of PowerShell with the following commands:



Forward mails to another mailbox:

Set-Mailbox -ForwardingAddress

Forward mailbox without saving a local copy:

Set-Mailbox -ForwardingAddress -DeliverToMailboxAndForward $false

Forwarding mails to another external mailbox:

Set-Mailbox -ForwardingSmtpAddress

Forwarding mails to another external mailbox without saving a local copy:

Set-Mailbox -ForwardingSmtpAddress -DeliverToMailboxAndForward $false

Apply the forwarding to users in mass:

Get-Mailbox | Where {$_.RecipientType -eq «UserMailbox»} | Set-Mailbox -ForwardingAddress

Apply the forwarding to users to be sent to external users in mass:

Get-Mailbox | Where {$_.RecipientType -eq «UserMailbox»} | Set-Mailbox -ForwardingSmtpAddress

Get forwarding Info of a user:

Get-Mailbox -Identity | fl DeliverToMailboxAndForward, ForwardingAddress, ForwardingSmtpAddress

Remove mail forwarding:

Set-Mailbox -ForwardingAddress $null

Remove mail forwarding sent to an external user:

Set-Mailbox -ForwardingSmtpAddress $null

Remove mail forwarding to users in mass:

Get-Mailbox | Where {$_.RecipientType -eq «UserMailbox»} | Set-Mailbox -ForwardingAddress $null

Remove mail forwarding sent to external users to users in mass:

Get-Mailbox | Where {$_.RecipientType -eq «UserMailbox»} | Set-Mailbox -ForwardingSmtpAddress $null


To disable the mail forwaring option to users:

Read this post


Hope it´s useful.