Category Archives: Setup

Modify Recoverable Items Folder – RetainDeletedItemsFor

Once you delete items from Outlook or have retention policies delete the data, it will end up in the Recoverable Items Folder. This post will detail how to check for and modify the time in which that data sits in the Recoverable Items Folder, before it’s purged from Exchange Online.

Chances are if you are reading this you know what the Recoverable Items Folder is and you know why you want to change the default time for the folder. Please be careful and be knowledgeable about how and what you are modifying here.  If you are unsure about the Recoverable Items Folder, please view the Microsoft TechNet article below. Consider this as your warning.

https://technet.microsoft.com/en-us/library/ee364755(v=exchg.150).aspx

 

Per Microsoft:

To protect from accidental or malicious deletion and to facilitate discovery efforts commonly undertaken before or during litigation or investigations, Microsoft Exchange Server 2013 and Exchange Online use the Recoverable Items folder. The Recoverable Items folder replaces the feature that was known as the dumpster in earlier versions of Exchange. The Recoverable Items folder is used by the following Exchange features:

  • Deleted item retention
  • Single item recovery
  • In-Place Hold
  • Litigation Hold
  • Mailbox audit logging
  • Calendar logging

 

This BLOG post will walk through the steps of setting the RetainDeletedItemsFor value for both the Mailbox and the Mailbox Plan in Office 365 (Exchange Online). The Microsoft default value for this setting is 14 days. The value is modified with PowerShell connection to Exchange Online. One thing to note is that if you have changed the default value on premise, you will also have to set the same value in Exchange Online as the mailbox you are moving to Exchange Online will get the value from Exchange Online.

 

View the current MailboxPlan settings in Exchange Online

Get-MailboxPlan |ft Name,RetainDeletedItemsFor

 

View the current setting per mailbox in Exchange Online

Get-Mailbox -Identity User.Name | fl Identity,RetainDeletedItemsFor

 

View the current setting all Mailboxes in Exchange Online

Get-Mailbox | fl Identity,RetainDeletedItemsFor

Note that some of the names have been blacked out for security purposes. Yes, people try to hack the users in my blog posts, even though I only use them once and they are deleted after.


 

Changing the Default Values

The value can be changed per mailbox or for the whole mailbox plan. Per mailbox is just as it sounds, it’s only for that one mailbox. Per mailbox plan will catch all the newly created mailboxes (including those migrated). It’s important to note that if you modify the setting after mailboxes have been created or migrated to Exchange Online, you will have to modify the value on those mailboxes as well as the mailbox plan. Basically after modifying the mailbox plan, all new mailboxes will get the new setting, while existing mailboxes will have to be updated.

 

The default value is set to 14 days. The max value that you can set is 30 days.

 

Change the current setting for the MailboxPlan in Exchange Online

Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor XX

The screen shot below shows the command to change the setting, followed by the command to verify.

 

Change the current setting per mailbox

Set-Mailbox –Identity username@domain.com -RetainDeletedItemsFor XX

The screen shot below shows the command to change the setting, followed by the command to verify.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Office 365 Shadow Tenants – Sorry, you can’t add domain.com here because it’s already in use

Sorry, you can’t add domain.com here because it’s already in use. If you own the domain.com domain and want to manage it, you have a couple of options.

 

This issue has come up a number of times with my clients. We are unable to add and verify production domains to a production tenant, because someone in the orgainization has used the company email address and signed up for a trail PowerBI (etc..) accounts. Because of the way that Office 365 is setup, when you sign up for those trials, a shadow tenant is created and your domain is locked (unverified) to that tenant. In my example, I have opened a trail for PowerBI, using an email address (kelsey.epps@office365testing.org) that hasn’t been registered with my production Office 365 tenant. Now, when I try to add the domain (office365testing.org) to my production Office 365 tenant, I get the error below (in red and screen shot). This is because the shadow tenant that was created for PowerBI trial is using that domain.

In order to resolve this, you will need to do an admin takeover of the shadow tenant and then release the domain so that it can be registered to your Office 365 tenant. This involves you opening another trial to PowerBI, taking admin ownership and verifying the domain in the shadow tenant, removing the domain from the shadow tenant and then adding and verifying it into your tenant.

 

Sorry, you can’t add domain.com here because it’s already in use. If you own the domain.com domain and want to manage it, you have a couple of options.

 

 

Follow these instructions to remove the domain from the Shadow tenant and add it to your production tenant.

 

Navigate to https://powerbi.microsoft.com/

 

Enter your email address (that includes that domain that you can’t add to your Office 365 tenant). My example is office365testing.org

 

Click ‘Use it free’

 

A confirmation email will be sent to your account. Click the link to verify the email address.

 

 

Enter your First Name, Last Name and a password. Click Start

 

The PowerBI setup process will kick off and your account will be added to the Shadow Tenant


 

Click the Office 365 waffle (app launcher)

Click the Admin Icon

 


 

This will take you to the admin take over webpage

Click ‘Yes, I want to be the admin’

 

Add the verification TXT record to your external DNS. Mine happens to be hosted on GoDaddy, so there are instructions for GoDaddy on the page.

 

 

Once the TXT record is added to public DNS, give it some time for replication. This is generally completed within 30 minutes, but can take up to 72 hours.

Click ‘Okay, I’ve added the record’

 

The process will now go out and verify that the TXT record supplied is added to public DNS. Once completed, your account will be added as the admin for the shadow tenant.

 

Click ‘Go to the Office 365 homepage’ or login to https://portal.office.com with your account.

Once logged into the Office 365 Admin Portal, click Users -> Active Users

This will show you all the people that have opened trail accounts of PowerBI

 

In order to remove the domain, so that we can register it in the main tenant, you need to edit the users and change the UPN to the onmicrosoft.com domain (in my example – office365testingorg.onmicrosoft.com). This is required because none of the users can have the office365testing.org domain in use, if we want to remove the domain from this tenant. It’s recommended that you update all the users and then your admin account.

Double click a user and change the UPN to the domain.onmicrosoft.com address

Click Save

 

You may receive a warning. Click Yes

Repeat for all the users

Let your users know they still have their trial accounts, but the user name is now changed. This will allow them to remove their data.

 

Edit your admin account the same way

Click Yes to the warning

Click OK and sign out of the shadow tenant

Sign back in with the new user name (user@domain.onmicrosoft.com)

 

Click Domains and select the domain you want to remove (this is the domain that you want to add to your production tenant)

 

With the domain selected, click ‘Remove domain’

Click Yes

The domain will be removed from the shadow tenant and is not free to add to your tenant (give the process some replication time across the Microsoft backend servers).

Logout of the shadow tenant

 

Login to your production tenant where you were getting the error adding the domain with your admin account and try to add the domain again. This time it should work without giving you the error. Please note that you will have to verify ownership again by adding the TXT record into public DNS.

 

Login to the production tenant – https://portal.office.com

Navigate to domains

Click
+ Add domain

 

Click ‘Let’s get started ->’

 

Add the newly released domain from the shadow tenant

Click Next

 

Verify domain ownership. Since I use GoDaddy, the process will allow me to sign into my GoDaddy account and verify, or use a TXT record in public DNS. Since I am lazy, I will just sign into GoDaddy and let automation rule my life. 😉

 

Success (and I forgot to screen shot the page before clicking next) … The domain is now verified and added to your production tenant. Step through the rest of the steps and now when viewing the domains in the production tenant, you will see it there and verified.

 

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

 

 

 

 

 

 

 

 

 

Adding a Domain to Office 365 that is Registered with GoDaddy

Adding a domain to Office 365 is really easy. To make the process even more wasy, the web page walk you through it. For this post, I am addding a domain to Office 365 that is managed at GoDaddy

 

Open the Microsoft Online Portal

Click Domains

Click + Add Domain

 

The add a domain in Office 365 Window will popup.

Click Let’s get started to allow the webpage to discover your domain registrar

 

Enter the domain you want added to Office 365

Click Next

 

Domain ownership needs to be verified. In this case, it was discovered that the domain is registered at GoDaddy.

If you want the web page to do all the steps, sign in with your GoDaddy account

If you want to verify the domain manually, then click ‘use a TXT record to verify you own this domain’

 

Sign in to your GoDaddy account

 

To confirm Office 365 access to your domain at GoDaddy, click Accept

 

The domain is verified

Click Next

 

At this point, you have the option to convert all the domain.onmicrosoft.com UPNs on the users to domain.com.

You can skip this if you wish, see below.

 

Click Update selected users to update the users, or click skip this step if you wish not to update the UPN

 

The next step in the process allows you to add more users, or you can skip the step.

 

Update DNS records. Be really careful here. If you have a production domain and you are using it for production email or other services, then changing DNS can cause some havoc if you are not ready to flip the services to Office 365. In my case, this is a test domain and I have no production users on it.

Click Next

 

Click Next

Keep in mind that I want the web page to change my DNS records, so I am leaving the Outlook and Lync checked.

 

Here is a screen shot of my DNS records before the webpage makes it’s changes to DNS

 

Here is a screen shot of the DNS records that the web page added, to enable services on Office 365

 

 

Done, the domain is added and now active for Office 365 use.

Click Finish

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

 

Setup and Enable Office 365 Message Encryption

thThe process to setup and enable Office 365 Message Encryption is really easy. There are three main steps that need to be followed

  1. Activate Azure Rights Management
  2. Setup Azure Rights Management for Exchange Online
  3. Setup transport rules to enforce message encryption in Exchange Online

 

The following Microsoft TechNet article details the process, I have a step-by-step below.

https://technet.microsoft.com/en-us/library/dn569291.aspx

 

Office 365 Message Encryption Mail Flow

 

 

Activate Azure Rights Management for Office 365 Message Encryption

 

Login to Microsoft Online Portal with a Global Admin Account

Open the App Launcher (waffle)

Select Admin

 

Select SERVICE SETTINGS from the left pane

Click Rights Management

 

From within RIGHTS MANAGEMENT click Manage

 

 

You’ll be redirected to the management page

Click Activate

Click Activate again on the popup asking if you are sure you want to activate Rights Management

 

 

Set up Azure Rights Management for Office 365 Message Encryption

 

Connect to Exchange Online with PowerShell

Open PowerShell as Administrator

Enter the following commands to connect and import the session

  • Set-ExecutionPolicy RemoteSigned

     

  • $cred = Get-Credential

     

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic –AllowRedirection

 

  • Import-PSSession $Session

 


 

Verify your IRM isn’t configured already

  • Get-IRMConfiguration

 

Configure RMS with the online key-sharing location for Exchange Online with PowerShell (locations below). For my example I am using North America, but the table below shows all the locations

 

Location

RMS key sharing location

North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc
European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc
Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc
South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc
Office 365 for Government https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc1

 

Import the Trusted Publishing Domain (TPD) from RMS Online

  • Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

 

Verify successful setup of IRM in Exchange Online

  • Test-IRMConfiguration –sender admin@domain.com

 

Disable IRM templates in OWA and Outlook

  • Set-IRMConfiguration -ClientAccessServerEnabled $false

 

Enable IRM for Office 365 Message Encryption

  • Set-IRMConfiguration -InternalLicensingEnabled $true


*Note – You shouldn’t see that warning, but if you do it’s safe to ignore. I got it because I ran the command and forgot to grab the screen shot before clearing the screen, thus I had to run the command again.

 

View the IRM Configuration

  • Get-IRMConfiguration


 

Create Transport Rules to Encrypt Messages

Open the Office 365 Admin Portal (https://portal.microsoftonline.com)

Open Exchange Admin Center


 

Click Mail Flow


 

 

Click the + and create your transport rule. I have created two simple rules.

This rule will encrypt anything that is sent external with an attachment larger than 1MB


This rule will encrypt the email if the word ‘Encrypt’ is in the subject line of the email. This will give the users (once trained) the flexibility to encrypt emails they deem sensitive.


 

Make sure the rules are active and test


 

 

Testing that the transport rule apply Office 365 Message Encryption

Testing Transport Rule 1


 

Testing Transport Rule 2


 

 

When the user gets the email, this is how its presented to them


 One thing to note is that after you go through the setup process, it may take some time to replicate across the Microsoft back end servers. So if you test and it doesn’t work, give it some more time. I have see this process take up to 2 hours to replicate.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Office365 – Creating a New Shared Mailbox

Creating a shared mailbox is simple with Office 365. Follow the step-by-step below, for the simplified process.

Per Microsoft – https://support.office.com/en-au/article/Create-and-use-shared-mailboxes-ecacf5b0-b5c8-449f-a89a-b7e87dcb55d4 

Shared mailboxes make it easy for a specific group of people to monitor and send email from a common account, like public email addresses, such as info@contoso.com or contact@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared mailbox, not from the individual user. 

Shared mailboxes are a great way to handle customer email queries because several people in your organization can share the responsibility of monitoring the mailbox and responding to queries. Your customer queries get quicker answers, and related emails are all stored in one mailbox. 

A shared mailbox doesn’t have its own user name and password. You can’t log into a shared mailbox directly using Outlook or Outlook Web App. You must first be granted permissions to the shared mailbox, and then you access it using Outlook or Outlook Web App. You don’t need to assign licenses to shared mailboxes, except when they are over their storage quota of 10 gigabytes (GB).

 

Sign in to Office 365

Click the waffle and select Admin

 

Expand Admin

Select Exchange

Select Recipients

Select Shared

 

Click +

 

Enter Display Name

Enter Email Address (this value must be unique) – Drop down the list to select the email domain.

Select the User(s) that has permissions to send mail from the shared mailbox. This can be changed later with advanced options

Enter Alias

Click Save

 

Once the shared mailbox is created, select it and click the pencil to edit the properties. Advanced settings are available.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

In the previous post we setup two WAP servers that will act as the AD FS proxy role for our internal AD FS servers. Now that the servers are setup, we need to add an end point so that the servers are accessible from the internet and we also need to load balance the end point across the two WAP servers.

 

Configure a Load Balanced End Point on the first Web Application Proxy Server

 

Open the Azure Management Portal

Select the first WAP Server

 

Select Endpoints

Click + Add

 

Select Add a Stand-Alone Endpoint

Click Next Arrow

 

Select HTTPS

Verify TCP

Verify Public Port 443

Verify Private Port 443

Select Create a Load-balanced set

Click Next Arrow

 

Name the load-balanced Set

Verify Protocol – TCP

Verify Probe Port – 443

Verify Probe Interval – 15

Verify Number of Probes – 2

Click the complete check mark

 

Load balanced endpoint is added

 

Add the Second Web Application Proxy Server to the WAP Load Balanced Set

 

Now that we have the load balanced endpoint setup on the first server, we now need to add the second server to this set.

 

Select the second WAP server

Click Endpoints

Click + Add

 

Select Add an endpoint to an existing load-balanced set

Select the load-balanced set you created in the step above

Click Next Arrow

 

Name the endpoint for this server

Verify the protocol – TCP

Click the complete checkmark

 

At this point the servers are both added to the load balanced end point and are live on the internet.

 

Collect the External IP Address of the WAP Cloud Service

 

Now that the WAP servers are load balanced, we will need to update our public DNS so that the Public Virtual IP (VIP) Address for the WAP cloud service is resolving to the AD FS farm name (in my case it’s sts.office365supportlab.com)

Click on the WAP Cloud Service – On the main page the Public Virtual IP (VIP) Address will be displayed

 

 

Update Public DNS

 

Before you complete this step, please note that this could have an impact if you are already in production. Don’t update this record if you don’t know what you are doing.

Since we all use different DNS hosts, I’ll leave this one up to you. Here is a screen shot of my GoDaddy DNS zone for reference.

 

Testing AD FS from External

 

 

Browse to the URL – https://sts.domain.com/adfs/ls/IdpInitiatedSignon.aspx
Make sure to modify the hostname and domain for your own domain.

Enter credentials

Click Sign in

 

 

Testing Access from Office365

Navigate to https://portal.office.com

 

Enter your UserID

Hit Tab

 

Redirecting to the WAP servers

 

The user name should be populated with the value entered on Office365 sign-in page

Enter Password

Click Sign-in

 

Credentials are verified and you are re-directed to Office365

 

This completes the series for Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365.

 

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN

Setting up the Second Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On

In the previous post, we created the first of two WAP servers. This is the continuation of the series.

Create the Virtual Machine

Click New

Select Compute -> Virtual Machine -> From Gallery

 

Select Windows Server 2012 R2

Click Next arrow

 

Enter a virtual machine name, tier, size, username and password

Click Next arrow

 

Select the cloud service you created when creating the first WAP server

Verify Virtual Network

Select an Availability Set that you created when creating the first WAP server

Click Next arrow

 

Click the complete checkmark

 

 

Let the process configure the virtual machine. Once completed, log into the server and continue with the next steps.

 

 

Configure the Primary DNS Suffix

 

Open Server Manager

Click the Computer Name

 

Click Change

 

Click More…

 

 

Enter your public domain as the Primary DNS suffix of this computer

Click OK

 

Click OK

Reboot

 

 

Install the Web Application Proxy Role

 

Open Server Manager

Click Manage

Click Add Roles and Features

 

Click Next

 

Click Next

 

Click Next

 

Select Remote Access

Click Next

 

Click Next

 

Click Next

 

Select Web Application Proxy

Click Next

 

Click Add Features

 

Click Next

 

Click Install

 

Installing

 

Click Close

 

Import the SSL Certificate

AD FS uses certificate to secure the connection from AD FS to Office365. For this reason, we need a valid SSL certificate. I choose to use GoDaddy, as I find they are a one stop shop for all my domain needs. It’s a personal choice, so use whoever you feel comfortable with. For the purposes of this BLOG post, I will use a multi-name certificate; I DON’T recommend this for a production environment. A couple reasons are that I like to keep things simple and if we have multiple names on the certificate, it starts to get complicated (not technically, but management of the certificate). Secondly, I don’t like to share certificates across services. This cuts down on the cross contamination from the support teams at larger companies. If you lump the AD FS services with the Exchange certificate, AD FS usually gets left in the dust and forgot about when it comes time to renew.

 

Open the Start Screen


Type MMC

 Click the MMC app


MMC opens


Click File

Click Add/Remove Snap-in

Select Certificates

Click Add>


Select Computer Account

Click Next


Select Local Computer

Click Finish


Click OK


Expand Certificates

Expand Personal

Right Click Certificates

Select Import


Select Local Machine

Click Next


Browse to the Exported Certificate

Click Next


Enter Password

Mark the key as exportable

Click Next


Place in the Personal certificate store

Click Next


Click Finish


Successful


 

 

Edit HOSTS File

Because we need to make contact back to the AD FS servers, we need to tell the WAP servers how to get to them. The simplest way of doing this (and not opening more FW ports) is to edit the local HOSTS file on the WAP server. Keep in mind that we don’t have connectivity or the ability to route to the internal IP address, so we need to route to the external IP of the Cloud Service that holds the AD FS servers.

 

Complete in Azure

Click Cloud Services

Click the Cloud Service for your AD FS Servers

Make note of the Public Virtual IP (VIP) Address

 

Complete on WAP Server

Right Click Notepad and Run as Administrator

Navigate to c:\windows\system32\drivers\etc

Switch view to All Files

Open HOSTS

Edit HOSTS file with the AD FS Farm Name and the external IP Address of the AD FS Cloud Service

Click File -> Save

Close Notepad

 

Setup Azure ACLs to Allow the WAP Servers to Communicate with the AD FS Servers

Since we are on separate networks (from the Internal Network) we also need to make sure that we have configured Azure ACLs to allow the WAP servers to communicate to the AD FS serves on the internal network. Please review this BLOG post to complete that task.

Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications

 

Configure the Web Application Proxy Role

 

Open Server Manager

Click More… Configuration required for Web Application Proxy

Click Open the Web Application Proxy… under the Action column

 

Click Next

 

Enter the Federation Service Name

Enter Credentials for a local administrator on the AD FS servers

Click Next

 

Select the SSL certificate that you imported earlier

Click Next

 

Click Configure

Success

Click Close

 

At this point the WAP server is functioning. Now all that remains is that we need to do is that we need to add an end point for port 443 and load balance the two servers.

Continue onto the next post in the series to finish the configuration.

 

My BLOG Series

Deploying a Highly Available AD FS 3.0 Solution in Windows Azure for Single Sign-on with Office365

  1. Setting up the Primary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
  2. Setting up the Secondary AD FS 3.0 Server in Windows Azure for Office365 Single Sign-On
    1. Configure the AD FS Servers in an Internal Load-Balanced Set in Windows Azure for Office365 Single Sign-On
    2. Configure the AD FS Servers with Azure Load Balanced Set in Windows Azure for Office365 Single Sign-On
  3. Securing the AD FS 3.0 servers and Configuring Azure ACLs for WAP Communications
  4. Setting up the First Web Application Proxy Servers (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  5. Setting up the Second Web Application Proxy Server (AD FS Proxy) in Windows Azure for Office365 Single Sign-On
  6. Configure Endpoints and Test the Web Application Proxy Servers (Load-Balanced Set in Windows Azure) for Office365 Single Sign-On

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Technical Consultant

Concepps Group

Email Me Follow me on Twitter Connect with me on LinkedIN