Field Report: Edge Fails with “454 4.7.0 Temporary authentication failure”
Issue
There was a scenario where it was noticed that outbound mails were not getting delivered. The environment had 2 Edge Servers together with 2 CAS/Mailbox servers, both being Exchange 2013. Upon checking the mailbox queue on the internal servers, it was noticed that the mails were stuck in the queue on the Send connector that was responsible for outbound mail delivery with Edge Server.
The Error reported the following.
451 4.4.0 Primary target IP address responded with: “454 4.7.0 Temporary authentication failure.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts”
Additionally, the following tests were done.
- System Clock was checked between all Edge, Mailbox/CAS and domain controllers. They were in the same time.
- Checked for any replication issues between the domain controllers. No issues were found.
- Checked for communication related issues between the Edge Server and the Internal Exchange Servers for the below ports. All required ports were open.
| Network interface | Open port | Protocol | Note |
| Inbound from and outbound to the internal network | 25/TCP | SMTP | This port is required for mail flow to and from the Exchange organization. |
| Local only | 50389/TCP | LDAP | This port is used to make a local connection to AD LDS. |
| Inbound from the internal network | 50636/TCP | Secure LDAP | This port is required for EdgeSync synchronization. |
| Inbound from the internal network | 3389/TCP | RDP | Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by letting you use a remote desktop connection to manage the Edge Transport server. |
-
Checked the EdgeSync for Edge Server 01: The following results were noted.
EdgeSync service cannot connect to this subscription because of error “No EdgeSync credentials were found for Edge transport server ED01.contoso.com on the local Hub Transport server. Remove the Edge subscription and re-subscribe the Edge Transport server.”
-
Upon checking the Event viewer, the following errors were thrown;
-
Event ID 1032
Microsoft Exchange EdgeSync can’t find the replication credential on %1 to synchronize with Edge server %2. This may happen if %1 joined the current Active Directory site after subscription for %2 was established. To have this Hub Transport server participate in EdgeSync, re-subscribe %2 to the current Active Directory site.
-
Resolution
So basically, we see that the Edge Sync is not working as it should be. At the same time, we see that there’s a certificate issue as well. Upon checking the certificate, we identified that it’s from a local CA. So the next steps we would do is to;
- Re-assign Exchange services to the existing certificate
- Re run Edge Synchronization
-
Verify
However, upon doing the service re-assigning to the existing services, the following error was thrown.
The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell.
Though it said the problem has been fixed, we were still unable to get Edge Sync working. So the final thought was to;
- Generate new Exchange Server certificate
- Assign services to new certificate
- Re-run Edge-Sync
Viola!!! No more errors!!
Exchange Server Upgrade | Step-by-Step
The guide will cover upgrading an Exchange Server 2013 CU8 into Exchange 2013 CU15.
In a nutshell, this is the procedure:
-
Prepare the existing environment
- Download the latest binaries
- Remove Interim Updates
-
Perform Upgrade
- Enable Exchange Server maintenance mode (High Availability)
- Upgrade Schema
- Install Exchange Binaries
- Enable Exchange Server services
Prepare the existing environment
Download Exchange Server SP/RU/CU binaries
When you are performing an Upgrade, you can go ahead and install the latest Cumulative Update (CU). You DO NOT, need to install all previous CU’s one by one in an incremental way. This is because a CU is a full installation of Exchange Server plus a collection of all the updates, patches and changes that has been made available so far.
For an Example, if you are on Exchange Server 2016 RTM, you can straight away install CU4. Because CU4 will contain all changes made in each of the CU’s previously released.
Exchange 2016
| Version | Blog post |
| Exchange 2016 CU4 | Released: December 2016 Quarterly Exchange Updates |
| Exchange 2016 CU3 | Released: September 2016 Quarterly Exchange Updates |
| Exchange 2016 CU2 | Released: June 2016 Quarterly Exchange Updates |
| Exchange 2016 CU1 | Released: March 2016 Quarterly Exchange Updates |
| Exchange 2016 RTM | Exchange Server 2016: Forged in the cloud. Now available on-premises |
Exchange 2013
Remove Interim Updates
Now that you have downloaded the binaries, you need to get rid of the Interim Updates that may have been installed in your environment. In some cases, if an Interim Update is installed, Microsoft Exchange Server CU’s or SP’s cannot be installed. Therefore, before installing the binaries, read the release notes for any information on removal of interim updates. Below steps will guide for that;
- In Control Panel, double-click Programs and Features.
- In the Currently installed programs list, click Interim Update for Exchange Server 201X (KBxxxxxx), where xxxxxx is the Knowledge Base article number that is associated with the IU.
- Click Remove.
- At a command prompt, run sn.exe -Vu * to enable strong name verification.
- Run sn.exe –Vl to verify that strong name verification is enabled.
Perform Upgrade
Enable Exchange Server maintenance mode (High Availability)
If you have standalone servers in your environment, then an upgrade will require you to go in for a downtime. Why? Because the services needs to be stopped during the upgrade process. In such a scenario, skip to the Upgrade section.
However, if your environment consists multiple servers in terms of 2xCAS or 2xMBX or 2x(CAS+MBX) or any of a combined scenario, it is highly advised that you perform upgrading of the servers one by one. This will ensure that your environment will stay online using the rest of the high available servers taking the downtime away.
There’s a catch in here. Let’s say we have a 2 Mailbox Server scenario: Server A and B. You decide to mount all databases into ServerA and upgrade Server B. Although this seems an okay way to do, it is not the case. Reason is that the Active Manager and other Exchange backend workers doesn’t know that you are doing a planned maintenance. Thus, the workers will think that the server is in a failed state. Can we fix this? Absolutely. You have to take the services on Server B or the server that you are about to do the upgrade into ‘Maintenance Mode’.
Below steps will guide you to do so;
- Run Exchange PowerShell as Administrator.
-
Run below command to drain connections on the Hub Transport service
Set-ServerComponentState <SERVER> -Component HubTransport -State Draining -Requester Maintenance
-
Run below command to disable cluster services
Suspend-ClusterNode <SERVER>
- Run below command to prevent databases from being mounted on the server. It will also immediately move any mounted databases on the server to other servers if copies exist and are healthy.
Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $true
- Verify that no mailbox databases are mounted on the server.Get-MailboxDatabaseCopyStatus
-
Run below command to block databases being automatically activated on the specified Mailbox server.
Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Blocked
-
Run below command to put the state of all components together to Inactive.
Set-ServerComponentState <server> -Component ServerWideOffline -State Inactive -Requester Maintenance
- Close PowerShell.
Upgrade Schema
Now that the server has been put to maintenance mode and you are ready to proceed with the Upgrade process. First thing we need to do is, update the schema. This is critical because without the required schema updates, the setup will not proceed.
- Run command prompt as Administrator.
-
Run below command
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
-
Run below command
Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
-
Run below command
Setup.exe /PrepareAllDomains/IAcceptExchangeServerLicenseTerms OR Setup.exe /PrepareDomain/IAcceptExchangeServerLicenseTerms
- Navigate to the Exchange installation binaries folder.
- Run setup.exe.
-
On the Check for Updates window, select your choice and click OK.
- On the Upgrade window, click Next.
- On the License Agreement page select “I accept ….” and click Next.
- On the Readiness Check page, ensure no prerequisites are pending. Click Next to proceed.
- Now the installation will proceed.
- Once the installation is finished, click Finish.
- Restart the server.
Now that the server has been upgraded successfully we can resume Exchange services back to normal mode. Follow the below steps.
- Run Exchange PowerShell as Administrator.
-
Run below command to enable connections on the Hub Transport service.
Set-ServerComponentState <SERVER> -Component HubTransport -State Active -Requester Maintenance
-
Run below command to enable cluster services
Resume-ClusterNode <SERVER>
-
Run below command to enable databases from being mounted on the server.
Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $false
-
Run below command to enable databases being automatically activated on the specified Mailbox server.
Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Unrestricted
-
Run below command to put the state of all components together to Activate.
Set-ServerComponentState <server> -Component ServerWideOffline -State Active -Requester Maintenance
- Close PowerShell.
Now that your server is back in the game. It’s time to upgrade the second server. Perform the steps above from the beginning to do so.
Happy Upgrading!! J
Field Report: Cisco and Exchange woes. 451 5.7.3 Cannot achieve Exchange Server authentication. Telnet fails with 200*****
So this was a strange case that i came across with. Here’s my setup.
In this scenario, strangely it was noticed that the mail is getting queued in our Exchange 2013 environment which is bound to Exchange 2010 mailboxes. Upon the error notification, we identified the below error.
451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
Additionally, upon doing a telnet from the Server B range to Server A range, we noticed that we are not getting the expected banner while telnet’ing port 25 as below.
Also, EHLO command fails with 500 5.3.3 Unrecognized command
If i try to telnet the relevant server from the same subnet, I get the correct HELO banner and the EHLO reply as below.
If you are getting the above error, it could be due to two reasons.
- The sending Exchange Server do not have authentication permission on the receiving Exchange Server(s).
If this is the case, that means the Exchange server which we cannot send email to doesn’t have it’s Exchange Server Authentication enabled. Because of this, when the Sending Exchange server is trying to authenticate against the receiving servers, it fails. To resolve this we need to set Exchange Server Authentication enabled, on the recipient servers receive connector.- Login to your Exchange Hub Transport Server where you cant send the mail to.
- In the Exchange Management Console, expand Server Configuration in the console tree, and select Hub Transport.
- In the work pane, select the Receive Connectors tab.
- Double-click the Default Receive connector.
- Ensure that the Exchange Server authentication option is selected.
- Click OK to save.
- Restart the Microsoft Exchange Transport Service.
- There could be a Cisco firewall sitting between the Exchange Servers.
This could be a trike situation. If you have placed a firewall between servers due to whatever reason and if your firewall is a Cisco FWSM, Cisco PIX or Cisco ASA then the Mailguard feature might be the cause. (In my case, this was the culprit)
If this is your issue. you need to disable ESMTP inspection. Microsoft has a KB article written which you can check out so the network team can set it up accordingly.
Did it work? Anything else you want to add? let us know..
Field Report: Cant Move/Delete emails with attachments
Issue:
Users were complaining that they are unable to delete mails from outlook. The environment was Exchange Server 2010 with SP1. Users were on Outlook 2010. Strangely, the issue was not seen for all the users. However there were multiple complaints from a few users that they are getting an error message while trying to delete old emails.
Upon checking up with the users, here’s what was noticed:
- While using outlook:
- User cannot delete email with attachments.
- User cannot move email with attachments.
- Upon deleting and moving the below error message is thrown.
- User can move/delete emails that does not have any attachments.
Some items cannot be deleted. They were either moved or already deleted, or access was denied. More Details>> This error may be the result of trying to delete more than 4,000 messages at one time. Outlook can delete no more than 4,000 messages when it is working with a server message store. To avoid this error, delete fewer than 4,000 messages in a single operation. It is also possible that you do not have the appropriate permissions to delete messages. If you need to delete content from a folder owned by someone else, contact the owner of the folder to obtain the necessary permissions, or have the owner delete the content for you.
Now this was quite strange. After looking up for a bit, I came up with a similar issue. However it was related to Exchange Server 2010 RU6 or SP3 environments. If you have such an environment, you might want to look over here: https://support.microsoft.com/en-us/kb/2822208
In our case, it was Exchange Server 2010 SP1. So it had to do with something else.
Cause:
One gotcha out of the symptoms was that it had to do with something related to attachments. So while going through message sizing parameters for user, rules, database, connectors and Transport Services, it was identified that the there was a change done to the Exchange Transport Settings on the Hub Transport Server. The Maximum Send/Receive sizes was reduced. And that my friend, was the culprit! Here’s what has happened.
Initially, the Maximum Send/Receive sizes were at 10MB. Life was so good. People could send and receive attachments, they were able to delete, move and so much more. Suddenly the administration decided to reduce the sizes to 3MB. This seemed to be the main cause for our issue. Due to some reason (I’m yet to get deep into what relationship it has) mails that’s got attachments greater than the Maximum Send/Receive size (3MB) are not getting deleted.
Resolution:
- Open Exchange Management Console.
- Navigate to Organization Configuration, Hub Transport , Global Settings , Transport Settings , General tab.
- Change the below values to a reasonable value (in my case it was 10MB, the previous value)
- Maximum receive message size (MB)
- Maximum send message size (MB)
- Restart Microsoft Exchange Transport service.
- Ask your users to close Outlook and check if the mail items can be deleted now.
That was it. Things worked and they were able to delete the emails.
Bit more information regarding why this happens, I’ll look into more and post over here.
If you have any inputs do comment over here.
Ignite 2016 Session Viewer for O365/Exchange – Technet Gallery
This is a small macro sheet I made to be used as a one-stop real time viewer for Office 365 and Exchange Server related sessions from the Microsoft Ignite 2016. Currently there are more than 170 Office 365 and 50 Exchange related sessions listed on the Microsoft Ignite site. This viewer is not fully updated, however the session list is getting updated and will post changelogs in whats news.
Download
Following sessions are available for viewing;
- BRK1001 : Maximize your Office 365 administration: tips and tricks
- BRK1003 : Explore accessibility in Office 365: plans and progress
- BRK1016 : Address your CXO’s top five cloud security concerns
- BRK1021 : Unplug with the Microsoft Outlook experts
- BRK1033 : Build your intranet with Microsoft Office 365
- BRK1044 : Dive deeper into what’s new and what’s coming in Outlook on the web
- BRK2008 : Understand your users: what’s new in Office 365 Usage Reporting
- BRK2009 : Manage Office 365 more effectively: what’s new in Office 365 administration
- BRK2010 : Implement ExpressRoute for Microsoft Office 365 (step by step)
- BRK2013 : Keep calm and automate: How we secure the Office 365 service
- BRK2032 : Identify and illustrate insights with new Microsoft Excel Charts
- BRK2033 : Discover Office 365 Groups – overview, what’s new and roadmap
- BRK2035 : Learn about advancements in Office 365 Advanced Threat Protection
- BRK2035 : Learn about advancements in Office 365 Advanced Threat Protection
- BRK2044 : Discover what’s new and what’s coming for Office Delve
- BRK2046 : Learn what to use when: Office 365 Groups, SharePoint Team Sites, Yammer, and OneDrive for Business
- BRK2050 : Dive into Microsoft Office 365 and SharePoint Hybrid Scenarios
- BRK2053 : Connect your business critical applications to Outlook and Groups
- BRK2093 : Design your Exchange infrastructure right (or consider moving to Office 365)
- BRK2097 : Drive Office 365 adoption: methodology, best practices, and resources from Microsoft
- BRK2100 : Move to Office 365 and drive adoption – lessons learned from the Carlsberg Group
- BRK2139 : Protect your business and empower your users with cloud Identity and Access Management
- BRK2160 : Build business applications with Power Apps, Microsoft Flow, and Office 365
- BRK2166 : Learn about Office 365 Secure Score: actionable security analytics
- BRK2170 : Discover what’s new with Microsoft Exchange Public Folders
- BRK2215 : Debate the top 10 reasons not to move your Exchange on-premises mailboxes to Exchange Online
- BRK2216 : Unplug with the experts on Exchange Server and Exchange Online
- BRK2216 : Unplug with the experts on Exchange Server and Exchange Online
- BRK2217 : Discover modern support in Outlook for Exchange Online
- BRK2218 : Move from Exchange 2007 to Modern Exchange
- BRK2219 : Meet twin sons of different mothers – Exchange Engineers and Exchange MVPs
- BRK2220 : Peer behind the curtain – how Microsoft runs Exchange Online
- BRK2245 : Transform the way you manage Skype for Business
- BRK2252 : Understand Microsoft’s Office 365 datacenter strategy and approach
- BRK2275 : Improve Office 365 adoption: top 10 ways
- BRK2298 : Plan to drive value and user adoption in Microsoft Office 365
- BRK3000 : Unplug with the experts on Microsoft Exchange Top Issues
- BRK3001 : Explore the ultimate field guide to Microsoft Office 365 Groups
- BRK3003 : Collaborate outside the firewall with Microsoft Office 365
- BRK3007 : Investigate tools and techniques for Exchange Performance Troubleshooting
- BRK3015 : Reduce costs and challenges with Office 365 eDiscovery and Analytics
- BRK3016 : Take control of your data with intelligent data governance in Office 365
- BRK3017 : Own your data and service – monitor and investigate with Office 365 Auditing, Insights and alerts
- BRK3018 : Take control of your security and compliance with Office 365
- BRK3019 : Manage Microsoft Office 365 Groups
- BRK3022 : Challenge cloud encryption myths and learn about Office 365 BYOK plans
- BRK3023 : Understand how Microsoft protects you against Spoof, Phish, Malware, and Spam emails
- BRK3024 : Building security and compliance solutions with the O365 Activity API – a Microsoft IT case study
- BRK3040 : Own your data with next generation access control technology in Office 365
- BRK3045 : Use Microsoft Graph to reach users on hybrid Exchange 2016
- BRK3046 : Build intelligent line-of-business applications leveraging the Outlook REST APIs
- BRK3074 : Discover what’s new in Active Directory Federation and domain services in Windows Server 2016
- BRK3083 : Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls
- BRK3102 : Conduct a successful pilot deployment of Microsoft Intune
- BRK3109 : Deliver management and security at scale to Office 365 with Azure Active Directory
- BRK3215 : Dive into Modern Authentication – how it works and what to do when it doesn’t
- BRK3216 : Plan performance and bandwidth for Microsoft Office 365
- BRK3217 : Run Microsoft Exchange Hybrid for the long haul
- BRK3219 : Migrate to Exchange Online via Exchange Hybrid
- BRK3220 : Deploy Microsoft Exchange Server 2016
- BRK3221 : Understand the Microsoft Exchange Server 2016 Architecture
- BRK3222 : Implement Microsoft Exchange Online Protection
- BRK3227 : Ask us anything about Microsoft Office 365 Groups
- BRK3242 : Discover a new level of Service Health insights for Office 365
- BRK3253 : Experience Scott Schnoll’s Exchange tips and tricks
- BRK3254 : Cert Exam Prep: Exam 70-345: Designing and Deploying Microsoft Exchange Server 2016
- BRK3281 : Deliver a BYOD program that employees and security teams will love with Microsoft Intune
- BRK3298 : Secure your Active Directory to mitigate risk in the cloud
- BRK4000 : Review ExpressRoute for Office 365 configuration (routing, proxy and network security)
- BRK4015 : Build client-side web parts for Microsoft SharePoint
- BRK4031 : Overcome network performance blockers for Office 365 Deployments
- BRK4032 : Dive deep into Microsoft Exchange Server High Availability
- THR1003R : Take control of your security and compliance with Office 365
- THR1004R : Empower employees with Microsoft Delve Analytics
- THR1005R : Dive deeper into what’s new and what’s coming in Microsoft Outlook 2016 for Windows
- THR1011R : Dive deeper into what’s new and what’s coming in Outlook mobile
- THR2004R : Manage Microsoft Office 365 from anywhere
- THR2006R : Get an edge over attackers – what you need to know about email threats
- THR2007R : Fight back with advancements in Office 365 Advanced Threat Protection
- THR2009R2 : Roll out Microsoft Office in one of the most demanding environments
- THR2020R : Deploy successfully : top 10 Office 365 ProPlus installation/activation tips
- THR2022 : Migrate your data to Microsoft Office 365 – why?
- THR2190R : Secure your sensitive email with Office 365 message encryption
- THR2207 : Modernize your clients with Office 365, Windows 10 and Enterprise mobility – the admin experience
- THR3001R : Migrate DL to Microsoft Office 365 Groups
- THR3007 : Protect your sensitive information with Office 365 Data Loss Prevention
- THR3008R : Gain visibility and control with Office 365 Advanced Security Management
- THR3010 : Help your users collaborate better with Office 365 Groups
Migrating from Gmail to O365 – Step by Step
Hello everyone,
Today’s post is going to take a different approach. It’s a video tutorial. The session is going to be a full step by step guide that describes how you can migrate from a gmail environment to an Office 365 environment using an IMAP migration process.
You can use the Internet Message Access Protocol (IMAP) to migrate user email from Gmail, Exchange, and other email systems that support IMAP migration. When you migrate the user’s email by using IMAP migration, only the items in the users’ inbox or other mail folders are migrated.
Note:
- It is required that you create a mailbox for each user before you migrate their email from the gmail account.
- You can migrate a maximum of 500,000 items from a user’s mailbox (emails are migrated from newest to oldest)
- The biggest email you can migrate is 35 MB.
- You can only migrate items in a user’s inbox or other mail folders. This type of migration doesn’t migrate contacts, calendar items, or tasks.
- Migration provisioning requires the user passwords or delegated access to user mailboxes using administrator credentials.
Watch-out for a step by step guide in the near future. If you do encounter any errors, please do comment below. Cheers!!
PowerShell: Manage your O365 – Step by Step
In this article, let’s see how we can use PowerShell and start with the scratch in getting into O365.
The scenario that we are talking about assumes that the user has created a tenant in the office 365 environment. No further changes in terms of domain/users etc. has not been performed.
Import PS Module
Import PowerShell Online Module: Before doing any of the below tasks, we need to download the commands and functions. By default, PowerShell doesn’t include the commands. So run the below command which will load the Online command modules;
Import-Module MSOnline
Login
Login to Office 365 tenant: Now after loading the module, we need to connect to the Office 365. The Connect-MsolService cmdlet will initiate a connection with Microsoft Azure Active Directory.
This first command will prompt for the credentials and pass it on in the second command that will authenticate with your tenant.
$msolCredentials = Get-Credential
Connect-MsolService -Credential $msolCredentials
List down authorized Domains:
The below cmdlet is used to retrieve the associated domains under the given tenant. Here we check the existing domains.
Get-msoldomain | fl
Add Domain:
The cmdlet is used to create a new domain object in the given Office 365 tenant environment. Once completed a domain entry will be displayed under the domain list. However, the verification is still under pending.
New-MsolDomain –Authentication Managed –Name scko.info
Domain Verification
Domain Verification Part 1:
Is used to return the details of the DNS records that need to be set to verify a domain. Values for Mode are DnsMXRecord and DnsTxtRecord where you will use the values in your DNS Registrar.
Get-MsolDomainVerificationDns -DomainName scko.info -Mode DnsTxtRecord
Domain Verification Part 2:
Used to confirm ownership of a domain. Once you have added the above TXT or MX records to your DNS list, you run the below command which will run the verification from Office 365 end to verify and confirm the domain ownership.
Confirm-MsolDomain –DomainName scko.info
List down authorized Domains:
Now we will use the cmdlet again to retrieve the associated domains.
Get-msoldomain | fl
Note: Please note that after this step, the retrieval of the DNS records associated with Office 365 services (Exchange/SharePoint/S4B etc) needs to be done using the web based Office 365 Admin page. You cannot retrieve the related DNS records through PowerShell.
Note: Adding Licenses needs to be done from the web portal.
Check Office 365 License:
The below cmdlet will list all the SKUs that the tenant owns.
Get-MsolAccountSku
At this point we have finished the following;
- Tenant Creation
- Domain adding and verification
User creation
In the next step we will look at user creation.
Create Single User:
The cmdlet will create an individual account.
New-MsolUser -UserPrincipalName jude@scko.info -City Colombo -State Western -Country “Sri Lanka” -DisplayName”Jude Perera” -FirstName Jude -LastName Perera -Password admin@123 -UsageLocation LK -LicenseAssignmentjcpciex:ENTERPRISEPACK
Note: If the license assignment is done at this point the USAGELOCATION and LICENSEASSIGNMENT parameters are required. The value for the LicenseAssignment can be obtained through the Get-MsolAccountSku cmdlet
Office 365 User Attributes
New-MsolUser -UserPrincipalName -City -Country -Department -DisplayName -FirstName -LastName -MobilePhone -PasswordNeverExpires -State -StreetAddress -Title -UsageLocation -LicenseAssignment
| Attribute | Description |
| UserPrincipalName | This is the account name that’s used to sign in to Office 365 services. |
| City | This will include the city |
| Country | The country of the user |
| Department | The department |
| DisplayName | This is the display name that’s used in Office 365 services. |
| FirstName | First Name |
| LastName | Last Name |
| MobilePhone | Mobile phone number |
| PasswordNeverExpires | This specifies if the user password is set to expire(false) or not(true) |
| Password | If you don’t specify a password, a random password is assigned to the user account, and the password is visible in the results of the command. If you specify a password, it needs to meet the following complexity requirements:
· 8 to 16 ASCII text characters. · Characters from any three of the following types: lowercase letters, uppercase letters, numbers, and symbols. |
| UsageLocation | This is a valid ISO 3166-1 alpha-2 country code. For example, US for the United States, and FR for France. It’s important to provide this value, because some Office 365 services aren’t available in certain countries, so you can’t assign a license to a user account unless the account has this value configured. |
| LicenseAssignment | This is the licensing plan (also known as the license plan, Office 365 plan, or SKU) from which an available license is assigned to the user account. The license defines the Office 365 services that are available to account. You don’t have to assign a license to a user when you create the account, but the account requires a license to access Office 365 services. |
Get User Details:
The command will retrieve the user information for the given users UPN
Get-MsolUser -UserPrincipalName jude@scko.info |fl
Now that we have learnt how to add a single user and what attributes we can associate it with, lets see how we can do a bulk import. This is especially useful when you are creating the users at first or having to add multiple users at a single time.
In preparation for this task we need create the users and attributes in CSV format. The below table lists sample data and the attributes that will be imported to Office 365.
Sample CSV file can be downloaded from here.
Bulk Import:
The below cmdlet will import the users and attributes from the given CSV file
Command 01:
$users = Import-Csv “D:\Demo ITPro\Office365Users.CSV”
Command 02:
$users | ForEach-Object{New-MsolUser -UserPrincipalName $_. UserPrincipalName -City $_.City -Country $_.Country -Department$_.Department -DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -MobilePhone$_.MobilePhone -State $_.State -StreetAddress $_.StreetAddress -Title $_.Title -UsageLocation $_.UsageLocation -LicenseAssignment $_.LicenseAssignment}
Password Configuration:
The below command can be used to enable(true) or disable(false) the requirement of Strong Passwords for users
Get-MsolUser | Set-MsolUser -StrongPasswordRequired $false
Password Change:
If you wish to change the passwords of your users in bulk mode, the below import method can be used.
The import method will import a list of users, their UserPrincipleName and the new Password along with the Set-MsolUserPassword cmdlet. You can use a CSV file with below format.
| UserPrincipalName | Password |
| User One | pass@word1 |
| User Two | pass@word2 |
| User Three | pass@word3 |
Import-Csv “D:\Demo ITPro\Office365Users.csv” | % {Set-MsolUserPassword -UserPrincipalName $_.UPN -NewPassword $_.password -ForceChangePassword $false}
Create Office 365 User Groups:
The New-MsolGroup cmdlet is used to add a new security group to the tenant. Note that creating groups does not mail enable them. Mail enabling a group needs to done with the help of the Microsoft Exchange Online PowerShell module which we will look in a later stage.
New-MsolGroup -DisplayName “Security Group” -Description “Security Group”
View Office 365 Groups:
The below cmdlet will list down with the Groups and all related attributes.
Get-MsolGroup | fl
Adding users to Group: Adding users or members to a group is not simple as the browser based controls. The Add-MsolGroupMember cmdlet is used to add members to a security group. The new members can be either users or other security groups. The group memberships totally depends on Group and User ID’s under the user/group properties.
Add-MsolGroupMember -GroupMemberObjectId <Guid> -GroupObjectId <Guid> [-GroupMemberType <string>] [-TenantId <Guid>] [<CommonParameters>]
-GroupMemberObjectId <Guid>: The object ID of the member (User or Group) to add to the group. The ID of the group to add members to. To get the value, run the Get-MsolUser -UserPrincipalName singleadd@scko.info | fl command. The Users ObjectID is shown in the below screenshot.
-GroupObjectId <Guid>: The ID of the group to add members to. To get the value, run the Get-MsolGroup | flcommand. The Groups ObjectID is shown in the below screenshot.
Now we will combine the above values to add the User “Single Add” to the new group we created earlier.
Add-MsolGroupMember -GroupObjectId 1a3edbb9-ec64-4184-bd22-5df4ae830158 -GroupMemberObjectId 52db4e40-bd95-426b-9c5a-bc752ceb044e
Once the member is added, now we run the below command to check the member adding
Get-MsolGroupMember -GroupObjectId a0b12555-e840-4f53-a857-91e41b69dbf0
Part 1 is done. In the coming days let’s see how we can use PowerShell to connect to Exchange Online services and manage things.
Until then, happy (power)shell’ing 🙂
