Connecting Exchange online PowerShell with MFA enabled Admin Account

Introduction

Multi Factor Authentication (MFA) help safeguard application and data access via a range verification methods that includes phone call, text, app verification etc. Microsoft introduced MFA for Office 365 in 2014 that help administrators to secure corporate information in Office 365 by enforcing a second factor authentication. Connecting with Exchange online PowerShell with MFA enabled admin account is not supported with standard PowerShell module.

It’s highly recommended to configure Multi Factor Authentication (MFA) for all users and admin accounts in Office 365.

Connecting Exchange online PowerShell with MFA enabled admin account requires you to download and install Exchange Online Remote PowerShell module that support MFA.

Install MFA Enabled Exchange Online Remote PowerShell Module steps should be performed in Internet Explorer otherwise you will receive an error message that says “Application can’t be started“.

Install MFA Enabled Exchange Online Remote PowerShell Module

To connect exchange online using MFA enabled admin account, you need to install MFA enabled exchange online remote powershell module that can be downloaded from Exchange online admin center in Office 365.

  • Login to Office 365 using global admin credentials.
  • Navigate to Admin > Admin Centers > Exchange.

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • In Exchange Admin Center, Navigate to Hybrid and Click Configure under “The Exchange online PowerShell Module supports multi-factor authentication. “

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • The Wizard will launch application install process, Click on Install.

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • Wait for the application installation process to complete.

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • Once the Installation process is completed, it will launch Exchange Online PowerShell Module that supports MFA.

Connecting Exchange online PowerShell with MFA enabled Admin AccountOnce the process of installing MFA Enabled Exchange online remote PowerShell module, the next step is to connect with Exchange online PowerShell using MFA enabled admin account.

Connecting Exchange online PowerShell with MFA enabled Admin Account

Connecting Exchange online powershell with MFA enabled admin account requires you to perform the following steps.

  • Run the following cmdlets to connect with Exchange Online PowerShell.

C:\> Connect-EXOPSSession -Username <user@domain.onmicrosoft.com>

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • When prompted, Enter your global admin credentials.

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • Once user credentials are verified, you will be redirected towards MFA verification.

I have setup MFA to use verification code from mobile app.

Connecting Exchange online PowerShell with MFA enabled Admin Account

  • Once you verify the multi-factor authentication, Exchange online remote powershell module will start loading the remote session.Connecting Exchange online PowerShell with MFA enabled Admin Account
  • Once the Remote Session is loaded, you can perform tasks related to Exchange online.

Connecting Exchange online PowerShell with MFA enabled Admin AccountConclusion

Multi-Factor Authentication help secure access to corporate environment and it’s highly recommended to set up MFA for all users and admin accounts. In this blog post, we review the process to access Exchange Online PowerShell after the admin account is setup for MFA. Connecting Exchange online PowerShell with MFA enabled admin account will ensure the security of your environment and help administrators perform their day to day tasks using PowerShell.

Bulk Assigning Customized licenses in Office 365 using Powershell

Introduction

Bulk assigning customized licenses in office 365 using PowerShell is one of those rare asked that customer can ask you to do based on their business and technical requirements. I have been working with many enterprise customers and many of them come up with the same request to only assign the license for specific workloads in Office 365 as they do not prefer to assign the license of any workload for which they haven’t done the planning and implementation according to their business angod security requirements. I do support and highly recommend this approach and it’s a best practice to make your services highly secure and controlled. If you have a customer with few thousand licenses than it’s not feasible to assign them a license via office 365 GI and bulk assigning customized license in office 365 using PowerShell is the optimal method to achieve your goal.

This blog post is focused on customizing the E3 license to only assign Exchange online, Skype for Business, Azure Rights Management and Office ProPlus license to user population

Bulk Assigning Customized licenses in Office 365 using PowerShell

Bulk assigning customized licenses in Office 365 using PowerShell requires you to perform the following steps in PowerShell.

  • Login to a machine that has Windows Azure PowerShell module installed and launch the powershell console
  • Run the following cmdlet and enter your Office 365 Global Admin credentials in the prompt

$creds = Get-Credential

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Enter the following cmdlet to connect to Office 365 PowerShell

Connect-MsolService -Credential $creds

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once you are connected with Microsoft Online Services, run the following cmdlet to get the AccountSkuId and SkuPartNumber

Get-MsolAccountSku |ft AccountSkuId,SkuPartNumber

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Make a note of AccountSkuId and SkuPartNumber as we need these for our next step
  • Run the following cmdlet to get the status of your services provisioned. Use the SkuPartNumber that you received in previous cmdlet. As we are only working on E3 license, our SkuPartNumber is “EnterprisePack”

$ServicePlan = Get-MsolAccountSku | Where {$_.SkuPartNumber -eq “EnterprisePack”}

Bulk Assigning Customized licenses in Office 365 using Powershell

 

  • Run the following cmdlet to check the status of service provisioning

$ServicePlan.ServiceStatus

Bulk Assigning Customized licenses in Office 365 using Powershell

Ignore the status of PendingActivation for Intune_O365 as we are not leveraging Intune in our infrastructure.

All service plans that are available as part of your EnterprisePack will be returned that comes with E3 license. As you can see, we have received the following services as part of our E3 license

  • FLOW_O365_P2
  • POWERAPPS_O365_P2
  • TEAMS1
  • PROJECTWORKMANAGEMENT
  • SWAY
  • INTUNE_0365
  • YAMMER_ENTERPRISE
  • RMS_S_ENTERPRISE
  • OFFICESUBSCRIPTION
  • MCOSTANDARD
  • SHAREPOINTWAC
  • SHAREPOINTENTERPRISE
  • EXCHANGE_S_ENTERPRISE
  • Now we have all the services plans available as part of our E3 license, next step is to create a custom license SKU based on your requirements. In our current scenario, i was required to only allow Exchange, Azure Rights Management, Skype and Office ProPlus to end users. This is done by disabling the plans that we do not want to make available to end users. Run the following cmdlet to disable the undesired plans

$LicOptions = New-MsolLicenseOptions -AccountSkuId “365talk:ENTERPRISEPACK” -DisabledPlans FLOW_O365_P2,POWERAPPS_O365_P2,TEAMS1,PROJECTWORKMANAGEMENT,SWAY,YAMMER_ENTERPRISE,SHAREPOINTWAC,SHAREPOINTENTERPRISE

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license options are customized, you can proceed to apply the licenses to users

$AccountSkuId = “365talk:ENTERPRISEPACK”

$UsageLocation = “PK”

$Users = Import-Csv “C:\Temp\users.csv”$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId -LicenseOptions $LicOptions
}

Bulk Assigning Customized licenses in Office 365 using Powershell

  • Once the license is assigned, login to Office 365 and navigate to users > User active users and search for the user account to which you have assigned a custom license. You will see a customized E3 license with desired workloads is being assigned to the user with the usage location set to Pakistan

Bulk Assigning Customized licenses in Office 365 using Powershell

This script and the sample CSV file is being uploaded to TechNet Gallery. You can download the script and modified the workloads based on your need to bulk assign licenses users leveraging PowerShell.

 

Configuring Office 365 Preferred Language Settings

Introduction

Office 365 empower organizations to use cloud based services for their business to ensure anytime anywhere access to corporate information. When you setup Office 365 tenant for an organization with offices in different regions then you’re also required to empower your end users to setup up their own preferred language settings in Office 365. For example, if you have a user in Japan then his preference will be to use Japanese language for his Office 365 portal instead of using English. In Office 365 you can set up language settings for users based on how you setup identities in Office 365. You can easily update language settings for users using PowerShell. Preferred language settings depends on how user identity is provisioned. If you have cloud based identities then you need to use Azure AD to modify the user account properties in Office 365. If you are using Azure AD Connect to sync on-premises active directory accounts with Office 365, then you have to update the settings in local active directory.

Configuring Office 365 Preferred Language Settings for Cloud Identities

Configuring Office 365 language settings for cloud based identities requires you to connect with Azure AD powershell. Perform the following steps to configure these settings.

  • Connect with Azure AD powershell using global admin credentials

C:\> Connect-MsolService

Configuring Office 365 Preferred Language Settings

  • Run the following cmdlet to configure the preferred language settings for user pgarcia@msexperttalk.com to Urdu

PS C:\> Set-MsolUser -UserPrincipalName pgarcia@msexperttalk.com -PreferredLanguage “ur-PK”

  • To verify the language settings for the user account, run the following PS cmdlet

PS C:\> Get-MsolUser -UserPrincipalName pgarcia@msexperttalk.com | fl PreferredLanguage

Configuring Office 365 Preferred Language Settings

Configuring Office 365 Preferred Language Settings for Synced Identities

When you are using synced identities with Office 365, you need to modify the on-premises user attribute in Active Directory to setup preferred language in Office 365. To modify the preferred language in Office 365 to Urdu for a user Phil, you need to set the “PreferredLanguage” attribute in user account properties in Active Directory. By default, this attribute does not contain any value and set to use English as default language.

  • To modify the individual user account properties, you can run the following PowerShell cmdlet.

Set-ADUser pgarcia@msexperttalk.com -Replace @{‘PreferredLanguage’=”ur-PK”}

  • To update the preferred language attribute in a specific OU, run the following cmdlet.

Get-ADUser SearchBase “OU=Test,OU=IT, DC=msexperttalk,DC=com” Filter * Properties PreferredLanguage | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=“ur-PK”}}

  • To update the preferred language attribute of users in a specific domain, run the following cmdlet. Following cmdlet will set the attribute for those users who do not have any this attribute setup.

Set-AdServerSettings -RecipientViewRoot “msexperttalk.com”
#Change language to ur-PK for all users with a setting of NULL in the MSExpertTalk.com domain
Get-ADUser -SearchBase “DC=msexperttalk,DC=com” -Filter * -Properties PreferredLanguage | where {$_.PreferredLanguage -eq $null} | Select SAMAccountName | ForEach-Object {Set-ADUser $_.SAMAccountName –replace @{PreferredLanguage=”ur-PK”}}

Preferred Language attribute settings will update the language for the following in Office 365.

  • Office 365 Default Landing page
  • General settings and menu
  • Office 365 Management portal
  • Video
  • Groups
  • OneDrive for Business
  • Delve
  • Office Online
  • Planner

To review a complete list of available language codes, please visit the Microsoft TechNet site.

Configuring Office 365 Modern Authentication

Introduction

Modern authentication in Office 365 leverage Active Directory Authentication Library (ADAL)-based sign-in to Office client apps. Modern Authentication allows administrators to enable features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers with Office client applications, smart card and certificate-based authentication, and it removes the need for Outlook to use the basic authentication protocol.

Why we need Modern Authentication?

Office 365 Multi-Factor Authentication (MFA) enables you to configure additional layer of security for user sign-in process to ensure data protection and minimize the security risk. Users who are enabled for multi-factor authentication are required to configure App Password in order to use Office desktop applications, including Outlook, Skype for Business, Word, Excel, PowerPoint and OneDrive for Business. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor. App passwords are randomly generated and its hard for end users to memorize these passwords. Modern Authentication in Office 365 help desktop applications to user ADAL based authentication and eliminate the need to memorize app password.

Modern Authentication requires minimum of Office 2013 client (15.0.4753.1001) installed on workstations

By default, Office 2016 client apps are enabled for modern authentication and do not require any additional configuration on client side. For Office 2013 client apps, we need to have a registry keys set up on end user operating system to enable support for modern authentication.To enable modern authentication support for Windows workstation running Office 2013 client apps, following registry keys are required.

Configuring Office 365 Modern Authentication

Configuring Modern Authentication for Office Apps

Modern authentication in Office 365 is enabled per user basis for workloads in Office 365. By default, modern authentication is enabled for SharePoint online and you do not have to configure anything in SharePoint online to enable modern authentication.

Configuring Exchange Online for Modern Authentication

Follow the steps to configure Exchange online for Modern authentication in Office 365.

Get-OrganizationConfig | ft OAuth*

Configuring Office 365 Modern Authentication

  • To enable the modern authentication for Exchange online, run the following cmdlet

Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

Configuring Office 365 Modern Authentication

  • To verify that the Modern Authentication is enabled for Exchange online, Re-run the Get-OrganizationConfig cmdlet

Configuring Office 365 Modern Authentication

Configuring Skype for Business Online for Modern Authentication

Follow the steps to configure Modern Authentication for Skype for Business online in Office 365.

Get-CsOAuthConfiguration

  • To enable modern authentication for Skype for Business online, run the following cmdlet

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Configuring Office 365 Modern AuthenticationOnce the Modern authentication is enabled for Office 365 workloads and client side is updated as well with registry key for Office 2013 clients, app password requirement will be eliminated. MFA enabled users will get the same experience during the authentication process that other user have who do not have MFA enabled on their account.

 

Disable Skype for Business IM History

What is Skype for Business IM?

Skype for Business IM is an efficient way to connect with your coworkers in real time. Instant Messaging is much faster then a formal email or a phone call. You can send and receive IM from anywhere in Skype for Business based on your company federation policies and improve employees productivity.

Skype for Business stores the IM history in outlook client (Exchange Mailbox) under Conversation History folder that you can use to search for previous conversations when and if required. Recently i came across a scenario where i was being asked to disable the Skype for Business IM history in Office 365. This was the first time I heard such request from customer. I thought to share the steps with the community for their reference if they come across such scenario.

Note: I do not recommend to disable Skype for Business IM history. You can use IM history for future reference purpose or compliance reasons if required.

Disable Skype for Business IM History

To disable Skype for Business IM History, follow the instructions mentioned below.

  • Run Windows Azure PowerShell as Administrator
  • Import LyncOnlineConnector Module

Disable Skype for Business IM History

You need to download and install Skype for Business online module before you run the Import cmdlet. The module can be downloaded from Microsoft

  • Connect with Skype for Business online. When prompted enter the global admin credentials of Office 365

Disable Skype for Business IM History

  • Run the cmdlet > $CSSession = New-CsOnlineSession -Credential $cred

Disable Skype for Business IM History

  • Run the cmdlet to import Skype for Business online session “Import-PSSession $CSSession -AllowClobber

Disable Skype for Business IM History

  • Review the CsClientPolicy that has IMAutoArchiving and CallLogArchiving enabled
    • Get-CsClientPolicy | Where-Object {$_.EnableIMAutoArchiving -eq $False -and $_.EnableCallLogArchiving -eq $false}
  • Modify the CsClientPolicy to disable Skype for Business IM History
    • Grant-CsClientPolicy -policyname tag:ClientPolicyNoSaveIMNoArchivingNoIMURL –Tenant “TenantGUID”
  • Once you run the command, it takes about 4-6 hours to apply the policy. The last command will disable IM Archiving history for your tenant, so all the domains in the tenant and all users under all domains would get this policy applied.

Conclusion

Disabling Office 365 Skype for Business IM history is not recommended as this can cause compliance issues for the organization. Office 365 Security and Compliance center provides you the capabilities to search the IM history for compliance reasons as well. If your organization performs frequent eDiscovery and has compliance requirements than it’s not advisable to disable Skype for Business IM. I have seen this a rare case where i was being asked to disable Skype for Business IM history.

1 2