Category Archives: Exchange Online

Un-Encrypted PST Import (Network Upload) to Office 365

This is a complete step-by-step for using the Office 365 Import Service to upload an un-encrypted PST File to Office 365.

Please review the Microsoft documentation for this process for updates or changes to this process.

https://technet.microsoft.com/en-us/library/mt644809.aspx

Pre-Requisites

Mailbox Import Export Role – In order to perform the import, the account doing the import needs to be assigned the Mailbox Import Export role. This is easily accomplished by adding the role to the Organization Management role group (as seen in the screen shot). Alternatively, you can create a new role group and assign your account permissions.

Open Exchange Admin Center

(1) Click Permissions

(2) Click Admin Roles

(3) Double Click Organization Management

(4) Click + Roles

(5) Select Mailbox Import Export

(6) Click Add ->

(7) Click OK

(8) Click Save

PST File Share – The PST file(s) that are being imported (because you can import more than one at a time), need to be stored on a network file share, or a file share on your local PC. Note the syntax in the later steps with AZCopy.exe.

Storage Key and Upload URL – During the process below, you are given a storage key and an upload URL. Keep these secure and treat the just like a password. If they fall into the wrong hands, anyone can upload to your tenant.

 

Step-by-Step Process for an Un-Encrypted PST Import (Network Upload) to Office 365

 

  • Download Network Upload Tool (AzCopy.exe)

In order to upload PST files to Microsoft, you must download and install the AzCopy.exe tool. Follow the process below to download and install the tool.

Navigate to https://protection.office.com

Sign in with a Global Admin account for your organization

(1) Click Data Management

(2) Click Import

(3) Click Go to the Import Service

(4) Click

(5) Click Upload Files Over the Network

On the popup page, click Download Tool (Azure AzCopy tool)

Click Run

Click Next

Agree to the EULA

Click Next

Accept the default install location

Click Next

Click Install

Click Yes

Click Finish

  • Storage Key and Upload URL

Before we can use the AzCopy tool to upload the PST file(s) to Office 365, we need to get the upload secure key and the URL. Please use the steps below to get the key and URL specific to your tenant.

Open the Import Data to Office 365 page that we had open the the prvious step

Click the icon

***NOTE*** This is a secure key and URL. Treat this like a password and make sure that it’s kept secure.

Click Copy Key (note this this process can take up to 5 minutes to complete)

Click Show URL for PST Files

Copy the key and URL for use in the next step

  • Upload the PST File(s) to Office 365

Now that we have the AzCopy tool downloaded and installed and we have the secure key and URL, can now upload the PST file(s) to Office 365. Follow the steps below to upload the PST file(s) to Office 365.

Open a command prompt as an admin (on the machine where you installed AzCopy)

Open the directory where you installed AzCopy

Run the following command to start the PST File(s) upload

AzCopy.exe /Source:\\SERVER01\PSTshare /Dest:<URL COPIED FROM STEP ABOVE>/SERVER01/PSTshare/ /Destkey:<SECURE KEY COPIED FROM STEP ABOVE> /S /V:C:\PSTshare\Uploadlog.log

\\SERVER01\PSTshare This denotes the share in which your PST File(s) are placed. If there are multiple PST Files in this location, AzCopy will upload them all.

<URL COPIED FROM STEP ABOVE> This denotes the URL that we got from Office 365 in the step above.

<SECURE KEY COPIED FROM STEP ABOVE> This denotes the secure key that we got from Office 365 in the step above.

C:\PSTshare\Uploadlog.log This denotes a location on the local machine where the verbose log file can be written

If you need additional help or need further explanation on the command above, please use this Microsoft site. https://technet.microsoft.com/en-us/library/mt644809.aspx

 

  • Create the PST Mapping File

Now that the PST File(s) are uploaded to Office 365, we need to create a CSV file that will map the PST file to the mailbox in Office 365. Follow the steps below to create the CSV file.

Download the PST Mapping Template File from Microsoft

Complete the CSV file with your specific information, filling in as many lines as needed. One line per PST file uploaded.

***Note **** If you need additional help or need further explanation on the PST Mapping File, please use this Microsoft site.

Save the PST Mapping File

 

  • Create the Office 365 Import Job

Now that we have the data uploaded and the PST mapping file saved, we can create the import job in Office 365 that will take the mapping file and import the PST files to the mailboxes specified. Follow the steps below to complete the process.

Navigate to https://protection.office.com

Sign in with a Global Admin account for your organization

(1) Click Data Management

(2) Click Import

(3) Click Go to the Import Service

(4) Click

(5) Click Upload Files Over the Network

(6) Check * I’m done uploading my files

(7) Check * I have access to the mapping file

(8) Click Next

(9) Enter a Job Name

(10) Click Next

(11) Click + to Add the Mapping File

(12) Validate the Mapping File (Under 100 rows)

(13) Agree to the terms and conditions

(14) Click Finish

(15) Click Closed

The import will now start. You can check the status of the import by going to the Office 365 Admin Center and opening the Import tab. Use the refresh button to get the updated status.

Monitor the status column for completion or error. My upload below completed with skipped items. Clicking on the job and the selecting View Details will allow you to troubleshoot the status message. With my example below, I had one corrupted mail item and this was discovered with a detailed log provided with the upload.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Blocking Apps from Using EWS

If your reading this post, you were probably asked by your security team to block a certain app or apps from accessing Office 365 (Exchange Online). There are all kinds of security reasons that you would need to block applications from using Exchange Web Services (EWS). I am in no way picking on any one application, the one shown in the post below just happens to be the one that I was asked to block by a client. Their security team reviewed the app and it didn’t meet their corporate security policy.

In order to block EWS applications, we need to use the Set-OrganizationConfig command, and then specify two EWS parameters.

 

Let’s first review your organization and see if you have a Block List setting and if there are applications in there.

 

Connect to Exchange Online with PowerShell

 

$UserCredential = Get-Credential

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

 

Import-PSSession $Session

 

Verify Existing Settings

 

Get-OrganizationConfig |ft Name,EwsApplicationAccessPolicy,EwsBlockList,EwsAllowList

 

From the results above we can see that the EwsApplicationAccessPolicy is not set and there is nothing in the EwsBlockList or the EwsAllowList

 

Understand the Process (EwsApplicationAccessPolicy and EwsBlockList or EwsAllowList)

 

There are two basic methods to blocking applications. Most companies that I work with want to allow everything and target specific apps to block.

 

You can block everything except everything on the allow list; EnforceAllowList

-or-

You can allow everything and except what’s on the block list; EnforceBlockList

 

-EwsApplicationAccessPolicy <EnforceAllowList | EnforceBlockList>

The EwsApplicationAccessPolicy parameter defines which applications other than Entourage, Mac Outlook, and Outlook can access EWS. If set to EnforceAllowList, only applications specified in the EwsAllowList parameter are allowed access to EWS. If set to EnforceBlockList, every application is allowed access to EWS except the ones specified in the EwsBlockList parameter.

 

-EwsBlockList

The EwsBlockList parameter specifies the applications that can’t access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceBlockList.

 

-EwsAllowList

The EwsAllowList parameter specifies the applications (user agent strings) that can access EWS when the EwsApplicationAccessPolicy parameter is set to EnforceAllowList.

 

 

Enable the Block List and add an Application

 

This method will show how to allow all applications (that use EWS) and only block ones on the block list. You’ll see the command to block a specific application and then the confirmation command after.

 

Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:”CloudMagic*”

 

Given some replication and policy time the user will see this.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Modify Recoverable Items Folder – RetainDeletedItemsFor

Once you delete items from Outlook or have retention policies delete the data, it will end up in the Recoverable Items Folder. This post will detail how to check for and modify the time in which that data sits in the Recoverable Items Folder, before it’s purged from Exchange Online.

Chances are if you are reading this you know what the Recoverable Items Folder is and you know why you want to change the default time for the folder. Please be careful and be knowledgeable about how and what you are modifying here.  If you are unsure about the Recoverable Items Folder, please view the Microsoft TechNet article below. Consider this as your warning.

https://technet.microsoft.com/en-us/library/ee364755(v=exchg.150).aspx

 

Per Microsoft:

To protect from accidental or malicious deletion and to facilitate discovery efforts commonly undertaken before or during litigation or investigations, Microsoft Exchange Server 2013 and Exchange Online use the Recoverable Items folder. The Recoverable Items folder replaces the feature that was known as the dumpster in earlier versions of Exchange. The Recoverable Items folder is used by the following Exchange features:

  • Deleted item retention
  • Single item recovery
  • In-Place Hold
  • Litigation Hold
  • Mailbox audit logging
  • Calendar logging

 

This BLOG post will walk through the steps of setting the RetainDeletedItemsFor value for both the Mailbox and the Mailbox Plan in Office 365 (Exchange Online). The Microsoft default value for this setting is 14 days. The value is modified with PowerShell connection to Exchange Online. One thing to note is that if you have changed the default value on premise, you will also have to set the same value in Exchange Online as the mailbox you are moving to Exchange Online will get the value from Exchange Online.

 

View the current MailboxPlan settings in Exchange Online

Get-MailboxPlan |ft Name,RetainDeletedItemsFor

 

View the current setting per mailbox in Exchange Online

Get-Mailbox -Identity User.Name | fl Identity,RetainDeletedItemsFor

 

View the current setting all Mailboxes in Exchange Online

Get-Mailbox | fl Identity,RetainDeletedItemsFor

Note that some of the names have been blacked out for security purposes. Yes, people try to hack the users in my blog posts, even though I only use them once and they are deleted after.


 

Changing the Default Values

The value can be changed per mailbox or for the whole mailbox plan. Per mailbox is just as it sounds, it’s only for that one mailbox. Per mailbox plan will catch all the newly created mailboxes (including those migrated). It’s important to note that if you modify the setting after mailboxes have been created or migrated to Exchange Online, you will have to modify the value on those mailboxes as well as the mailbox plan. Basically after modifying the mailbox plan, all new mailboxes will get the new setting, while existing mailboxes will have to be updated.

 

The default value is set to 14 days. The max value that you can set is 30 days.

 

Change the current setting for the MailboxPlan in Exchange Online

Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor XX

The screen shot below shows the command to change the setting, followed by the command to verify.

 

Change the current setting per mailbox

Set-Mailbox –Identity username@domain.com -RetainDeletedItemsFor XX

The screen shot below shows the command to change the setting, followed by the command to verify.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Setup and Enable Office 365 Message Encryption

thThe process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

 

The following Microsoft TechNet article details the process, I have a step-by-step below.

https://technet.microsoft.com/en-us/library/dn569291.aspx

 

Office 365 Message Encryption Mail Flow

 

 

Activate Azure Rights Management for Office 365 Message Encryption

 

Login to Microsoft Online Portal with a Global Admin Account

Open the App Launcher (waffle)

Select Admin

 

Select SERVICE SETTINGS from the left pane

Click Rights Management

 

From within RIGHTS MANAGEMENT click Manage

 

 

You’ll be redirected to the management page

Click Activate

Click Activate again on the popup asking if you are sure you want to activate Rights Management

 

 

Set up Azure Rights Management for Office 365 Message Encryption

 

Connect to Exchange Online with PowerShell

Open PowerShell as Administrator

Enter the following commands to connect and import the session

  • Set-ExecutionPolicy RemoteSigned

     

  • $cred = Get-Credential

     

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection

 

  • Import-PSSession $Session

 


 

Verify your IRM isn’t configured already

  • Get-IRMConfiguration

 

Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations

 

Location

RMS key sharing location

North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Office 365 for Government https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

 

Import the Trusted Publishing Domain (TPD) from RMS Online

  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

 

Verify successful setup of IRM in Exchange Online

  • Test-IRMConfiguration –sender admin@domain.com

 

Disable IRM templates in OWA and Outlook

  • Set-IRMConfiguration -ClientAccessServerEnabled $false

 

Enable IRM for Office 365 Message Encryption

  • Set-IRMConfiguration -InternalLicensingEnabled $true


*Note – You shouldn’t see that warning, but if you do it’s safe to ignore. I got it because I ran the command and forgot to grab the screen shot before clearing the screen, thus I had to run the command again.

 

View the IRM Configuration

  • Get-IRMConfiguration


 

Create Transport Rules to Encrypt Messages

Open the Office 365 Admin Portal (https://portal.microsoftonline.com)

Open Exchange Admin Center


 

Click Mail Flow


 

 

Click the + and create your transport rule. I have created two simple rules.

This rule will encrypt anything that is sent external with an attachment larger than 1MB


This rule will encrypt the email if the word ‘Encrypt’ is in the subject line of the email. This will give the users (once trained) the flexibility to encrypt emails they deem sensitive.


 

Make sure the rules are active and test


 

 

Testing that the transport rule apply Office 365 Message Encryption

Testing Transport Rule 1


 

Testing Transport Rule 2


 

 

When the user gets the email, this is how its presented to them


 One thing to note is that after you go through the setup process, it may take some time to replicate across the Microsoft back end servers. So if you test and it doesn’t work, give it some more time. I have see this process take up to 2 hours to replicate.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Office365 – Creating a New Shared Mailbox

Creating a shared mailbox is simple with Office 365. Follow the step-by-step below, for the simplified process.

Per Microsoft – https://support.office.com/en-au/article/Create-and-use-shared-mailboxes-ecacf5b0-b5c8-449f-a89a-b7e87dcb55d4 

Shared mailboxes make it easy for a specific group of people to monitor and send email from a common account, like public email addresses, such as info@contoso.com or contact@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared mailbox, not from the individual user. 

Shared mailboxes are a great way to handle customer email queries because several people in your organization can share the responsibility of monitoring the mailbox and responding to queries. Your customer queries get quicker answers, and related emails are all stored in one mailbox. 

A shared mailbox doesn’t have its own user name and password. You can’t log into a shared mailbox directly using Outlook or Outlook Web App. You must first be granted permissions to the shared mailbox, and then you access it using Outlook or Outlook Web App. You don’t need to assign licenses to shared mailboxes, except when they are over their storage quota of 10 gigabytes (GB).

 

Sign in to Office 365

Click the waffle and select Admin

 

Expand Admin

Select Exchange

Select Recipients

Select Shared

 

Click +

 

Enter Display Name

Enter Email Address (this value must be unique) – Drop down the list to select the email domain.

Select the User(s) that has permissions to send mail from the shared mailbox. This can be changed later with advanced options

Enter Alias

Click Save

 

Once the shared mailbox is created, select it and click the pencil to edit the properties. Advanced settings are available.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

No Subscription Found – Office Mobile for iPhone and Android

 

When trying to sign in and activate Office Mobile for iPhone or iPad you may encounter the following error. This error is consistent on the iPhone and Android devices. My post shows screen shots from an iPhone 5, but the same solutions can be applied to Android as well.

 

No Subscription Found We couldn’t find a subscription connected to your account.

 

 

There are a number of reasons why you may encounter this error, so here are the top four fixes.

 

  1. Make sure that your Office365 user account is licensed for Office Professional Plus.

     

  2. If you have a license assigned to your Office 365 user account, give it time to replicate across the Microsoft back end servers. After the license is applied, wait at least 15-30 minutes before trying to activate Office Mobile on iPhone or Android.

     

  3. Verify that you are signing into Office Mobile with the correct account option. Login to Office Mobile with your Organizational Account. If you choose Microsoft Account you will get the error.

     

  4. If the three solutions above, don’t work:
    1. Remove the Office Professional Plus license from the Office 365 user account
    2. Allow for replication/propagation time (30-45 minutes) across the Microsoft back end servers.
    3. Add the Office Professional Plus license back to the Office 365 user account

 

Here is the Microsoft KB that details the issue.

http://support.microsoft.com/kb/2861180

 

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

 

Exchange 2007 Cutover Migration to the NEW Office 365

I covered this topic in a BLOG post for MS Press. Please click the link below and you will be re-directed there.

From the MVPs: Exchange 2007 Cutover Migration to the NEW Office 365

 

Complete Series:

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me