Office 365

Add Skype for Business Federation Partner/Domain

Hey again!

Have you been searching and looking around to find a way to automate or use PowerShell for adding federation partners to Skype for Business Online?

Then here’s a great example for you, feel free to use the script, edit and tweak it. If you do tweak and edit/improving it. Please go ahead and share it with the community and also link to my blog post.

In my case I’m using PowerShell version 5 together with Skype for Business module, which is a requirement for connecting to the cloud service(s).

The script in itself is pretty much straight forward, type in one or more domains and they get added into the alloweddomains list.
This can be handy if you’re not using open federation and have to add a couple of new domains every now and then..

 


<#
.SYNOPSIS
Filename: Add-CsFedDomain.psm1

Jonas Andersson
Jonas.Andersson@testlabs.se

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE
ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS
WITH THE USER.

Version 1.0, September 25th, 2016

.DESCRIPTION
Used for adding new domain(s) for Skype for Business Online

.PREREQUISITES
Connect to Skype for Business Online using the PowerShell module

Revision History
--------------------------------------------------------------------------------
1.0     Initial release

.EXAMPLE
Add-CsFederationDomain -domainName domain1.com
Add-CsFederationDomain -domainName domain1.com,domain2.com,domain3.com

#>

function Add-CsFederationDomain (
[Parameter(Mandatory = $true)][array]$domainName
)
{
if ((Get-MsolDomain -ErrorAction 0) -eq $null)
{
Write-Host "Not connected to O365, use ConnectToO365-P*" -ForegroundColor Red
break
}

$tenant = Get-CsTenant
$domainName = $domainName.split(",")
$domainName = $domainName.split(";")
$domainName = $domainName.split(",")
$domainName = $domainName.Replace(" ","")

if ($domainName.Count -lt 2)
{
[string]$domainName = $domainName[0].ToString()
Write-Host "#########################################################################################" -ForegroundColor White
Write-Host "Domain: $domainName" -ForegroundColor DarkGreen

$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
$domain = $x.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName}
if ($domain -eq $null)
{
$d1 = New-CsEdgeDomainPattern -Domain $domainName
$x.AllowedDomains.AllowedDomain.Add($d1)
Set-CsTenantFederationConfiguration -Tenant $tenant.tenantID  -AllowedDomains $x.AllowedDomains
Write-Host "Domain $domainName was added successfully" -ForegroundColor Green
}
else
{
Write-Host "ERROR: $domainName already in allowed list" -ForegroundColor Red
}
}

if ($domainName.Count -gt 1)
{
foreach ($newdomain in $domainName)
{
Write-Host "#########################################################################################" -ForegroundColor White
Write-Host "Domain: $newdomain" -ForegroundColor DarkGreen

$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
$domain = $x.AllowedDomains.AllowedDomain | Where-Object {$_.Domain -eq $newdomain}
if ($domain -eq $null)
{
$d1 = New-CsEdgeDomainPattern -Domain $newdomain
$x.AllowedDomains.AllowedDomain.Add($d1)
Set-CsTenantFederationConfiguration -Tenant $tenant.tenantID -AllowedDomains $x.AllowedDomains
Write-Host "Domain $newdomain was added successfully" -ForegroundColor Green
}
else
{
Write-Host "ERROR: $newdomain already in allowed list" -ForegroundColor Red
}
}
}
}

Inspiration from this great blog post:

https://gotspeechguy.com/2012/06/21/setting-up-a-tenants-allowed-domains-for-federation/

Surface Hub – account creation

Background

Most of you already know what a Surface Hub is since Microsoft have pushed really hard for these devices. If you for some unknown reason doesn’t know what it is, or how it looks like. Then take a look at the following link: https://www.microsoft.com/microsoft-surface-hub/en-us

As you may know (or don’t, doesn’t matter..) I’m responsible to the technical solution of Office 365 and being a bit more specific; Skype for Business is the main one for me.

However, it took me a while to actually figure out what kind of accounts that was needed for the Surface Hub device to be honest. You can read about this at TechNet of course but they are just talking about device account (and what the heck is that? computer or user?)..

So what that said I wanted to share the knowledge I got so far from creation of the “device” accounts, which is a ROOM MAILBOX and nothing else (a customized room mailbox).

So to the steps that was taken:

Step 1:

  • Create one CSV file including the accounts we want to get created

In general the CSV file looks similar to the formatting of the text below

alias;upn;name;password
edu.surfacehub_55;edu.surfacehub_55@testlabstrial.onmicrosoft.com;Surface Hub 55;Welcome2016!!
edu.surfacehub_84;edu.surfacehub_84@testlabstrial.onmicrosoft.com;Surface Hub 84;Welcome2016!!

Note: an example of the CSV file can be found below:

Step 2:

For automating the creation of the listed accounts in the file, we can easily utilize PowerShell

Start:


$accounts = Import-Csv ".\surfacehubacct.csv" -Delimiter ";"

# Prereq's
$countrycode = (Get-CsTenant).CountryAbbreviation
$regpool = (Get-CsTenant).TenantPoolExtension
$regpool = $regpool.Substring($regpool[0].IndexOf(':') + 1)
$skuid = (Get-MsolAccountSku | Where-Object {$_.AccountSkuID.Contains("ENTERPRISEPACK"); })
$easpolicys = Get-MobileDeviceMailboxPolicy

if ($easpolicys.Count -gt 1)
{
foreach ($easpolicy in $easpolicys)
{
if (($easpolicy.PasswordEnabled -eq $False) -and ($easpolicy.AllowNonProvisionableDevices -eq $null -or $easpolicy.AllowNonProvisionableDevices -eq $True))
{
$easpolicy = $easpolicy
}

else
{
Write-Host "The policy is incompatible with the surface hub." -ForegroundColor Red
$easpolicy = $null
New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $False -AllowNonProvisionableDevices $True
Write-Host "A new Mobile Device Mailbox Policy has been created" -ForegroundColor Green
$easpolicy = Get-MobileDeviceMailboxPolicy
}
}
}

if ($easpolicys.Count -eq $null)
{
if (($easpolicys.PasswordEnabled -eq $False) -and ($easpolicys.AllowNonProvisionableDevices -eq $null -or $easpolicys.AllowNonProvisionableDevices -eq $True))
{
$easpolicy = $easpolicys
}

else
{
Write-Host "The policy is incompatible with the surface hub." -ForegroundColor Red
$easpolicy = $null
New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $False -AllowNonProvisionableDevices $True
Write-Host "A new Mobile Device Mailbox Policy has been created" -ForegroundColor Green
$easpolicy = "SurfaceHubs"
}
}

if (!$easpolicys)
{
Write-Host "No policy can be found." -ForegroundColor Red
$easpolicy = $null
New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $False -AllowNonProvisionableDevices $True
Write-Host "A new Mobile Device Mailbox Policy has been created" -ForegroundColor Green
$easpolicy = Get-MobileDeviceMailboxPolicy
}

foreach ($account in $accounts)
{
New-Mailbox -MicrosoftOnlineServicesID $account.upn -Alias $account.alias -Name $account.name -Room -EnableRoomMailboxAccount $True -RoomMailboxPassword (ConvertTo-SecureString -String $account.password -AsPlainText -Force)
Set-Mailbox -Identity $account.upn -Type Regular
Set-CASMailbox -Identity $account.upn -ActiveSyncMailboxPolicy SurfaceHubs
Set-Mailbox -Identity $account.upn -Type Room
Set-Mailbox -Identity $account.upn -RoomMailboxPassword (ConvertTo-SecureString -String $account.password -AsPlainText -Force) -EnableRoomMailboxAccount $True
Set-CalendarProcessing -Identity $account.upn -AutomateProcessing AutoAccept -AddOrganizerToSubject $False –AllowConflicts $False –DeleteComments $False -DeleteSubject $False -RemovePrivateProperty $False -AddAdditionalResponse $True -AdditionalResponse "This is a Surface Hub room!"
Set-CalendarProcessing -Identity $account.upn -ProcessExternalMeetingMessages $True
Set-MsolUser -UserPrincipalName $account.upn -PasswordNeverExpires $True
Set-MsolUserLicense -UserPrincipalName $account.upn -AddLicenses $skus.AccountSkuId
Set-MsolUser -UserPrincipalName $account.upn -UsageLocation $countrycode
Enable-CsMeetingRoom -Identity $account.upn -RegistrarPool $regpool -SipAddressType UserPrincipalName
}

This post has been published mostly for remembering myself on how the accounts should be created (if possible), when having a scenario where they cannot be created in the on-premises Active Directory and being synchronized.

A follow up post will come later on regarding the accounts of Surface Hub

Great collaboration with Daniel Blunda regarding these accounts!

Address Book Policy using Exchange Online (Office 365)

The question were raised a couple of times and I couldn’t find any related articles besides the official TechNet articles, so I decided to write one myself.

Some organizations have the need of separating people from seeing each other in the global address list (GAL), this is known as GAL segmentation and have been on the surface for a long time.

However, when it comes to do a segmentation in Office 365 and Exchange Online, it can be challenging and difficult, so I decided to write this article and provide an example of how this can be done.

 

Scenario – segmentation between school (students & teachers) and others (teachers, admin personnel and managers).

In detail the teachers and the students should be able finding each other in the address lists, while the administrators shouldn’t be able finding the students in their lists. However, administrators and teachers should be able to reach out through the address lists.

 

ABP

 

RBAC

By default the global administrator DON’T have access to manage the address lists, so either add the Address List Management permissions into the Organization Management role group or create a new role group with the role Address List Management and add the appropriate user into the group.

 

Attributes

One way of making sure the segmentation is working they way it is expected is to make it possible grouping the users using the extensionAttribute/CustomAttribute values in AD/Exchange.
These should be configured in the on-premise Active Directory (AD).

In this example all students and teachers has a value of “EDU” in their extensionAttribute15/CustomAttribute15, while the others have a value of “ADM” in their extensionAttribute14/CustomAttribute14 so they can easily be filtered.

With the attribute values in place, we need to configure address lists, global address list, offline address book, address book policy and finally apply it to the mailboxes.

This is done using PowerShell for Exchange Online running the following cmdlets..

 

Configuration for students and teachers


New-AddressList -Name "AL-EDU-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq "MailUniversalDistributionGroup") -or (RecipientTypeDetails -eq "DynamicDistributionGroup")) -and (CustomAttribute15 -eq "EDU")}

New-AddressList -Name "AL-EDU-Rooms" -RecipientFilter {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute15 -eq "EDU")}

New-GlobalAddressList -Name "GAL-EDU" -RecipientFilter {(CustomAttribute15 -eq "EDU")}

New-OfflineAddressBook -Name "OAB-EDU" -AddressLists "GAL-EDU"

New-AddressBookPolicy -Name "ABP-EDU" -AddressLists "AL-EDU-Users-DGs","AL-EDU-Rooms" -OfflineAddressBook "\OAB-EDU" -GlobalAddressList "\GAL-EDU" -RoomList "\AL-EDU-Rooms"

Get-Mailbox | Where {$_.CustomAttribute15 -eq "EDU"} | Set-Mailbox -AddressBookPolicy "ABP-EDU"

 

Configuration for administrator personnel, managers and teachers


New-AddressList -Name "AL-ADM-Users-DGs" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup")) -and (CustomAttribute14 -eq "ADM")}

New-AddressList -Name "AL-ADM-Rooms" -RecipientFilter  {((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))) -and (CustomAttribute14 -eq "ADM")}

New-GlobalAddressList -Name "GAL-ADM" -RecipientFilter {(CustomAttribute14 -eq "ADM")}

New-OfflineAddressBook -Name "OAB-ADM" -AddressLists "GAL-ADM"

New-AddressBookPolicy -Name "ABP-ADM" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms" -OfflineAddressBook "\OAB-ADM" -GlobalAddressList "\GAL-ADM" -RoomList "\AL-ADM-Rooms"

Get-Mailbox | Where {$_.CustomAttribute14 -eq "ADM"}  | Set-Mailbox -AddressBookPolicy "ABP-ADM"

 

Configuration for teachers (“Everyone”)

The configuration for the teachers is a bit different since they should be able to see all users, in my example I do configure the policy to include all address lists, this can be configured so it matches your requirements.


New-AddressBookPolicy -Name "ABP-Teachers" -AddressLists "AL-ADM-Users-DGs","AL-ADM-Rooms","AL-EDU-Users-DGs","AL-EDU-Rooms","All Groups","All Contacts","All Distribution Lists","All Rooms","All Users" -OfflineAddressBook "\Default Offline Address Book" -GlobalAddressList "\Default Global Address List" -RoomList "\All Rooms"

Get-Mailbox | Where {$_.CustomAttribute1 -eq “teachers”} | Set-Mailbox -AddressBookPolicy "ABP-Teachers"

 

Ps. In the example for applying the policy to teachers, I’ve filtered the users using extensionAttribute1/CustomAttribute1 with the value of “teachers”.

 

The final result is shown below..

Students – able to find students and teachers in GAL

2014-09-30 13-51-27

Admins – able to find admins, managers and teachers in GAL

2014-09-30 13-53-06

Managers – able to find admins, managers and teachers in GAL

2014-09-30 13-54-05

Teachers – able to find everyone in GAL

2014-09-30 14-00-11

 

I hope this gave a more clear picture of the configuration to you, feel free to comment or give any feedback!

 

More information:

http://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx

Populate extensionAttribute with value using PowerShell

Implementing ADFS using the new feature within KB2919355 for Windows Server 2012 R2 called Alternative Login ID? (http://technet.microsoft.com/en-us/library/dn659436.aspx)

The configuration for Alternative Login ID is fairly simple, the extensionAttributes/CustomAttributes can be used and I want to share a script with you for populating values into the attributes.

Use the script as much as you want, make sure to test it before implementing into production.
All contents is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use.

 

# +=======================================================================
# | Blog: http://www.testlabs.se/blog
# | Twitter: @jonand82
# | =============================================
# | Filename: populate_extensionattribute15_v1.0.ps1
# |
# | CREATED BY: Jonas Andersson
# | FUNCTION: Populates users extensionAttribute15 with SamAccountName plus a value
# |
# | CHANGE LOG:
# | v1.0 - 2014-05-28, *Created*
# +=======================================================================

$users = Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Users,OU=Testlabs,DC=testlabs,DC=se" | Select-Object DistinguishedName, SamAccountName
$value = "@testlabs.se"
foreach ($i in $users)
{
$ext = ($i.SamAccountName) + $value
Write-Host "extensionAttribute15:", $ext

$id = $i.DistinguishedName
$user = Get-ADUser -Identity $id -Properties extensionAttribute1
Set-ADUser –Identity $user -Clear "extensionAttribute15"
Set-ADUser -Identity $user -Add @{extensionAttribute15 = $ext}
}
Part 6: Prerequisites for Coexistence between Domino and Exchange 2013/Office 365

Part 6: Prerequisites for Coexistence between Domino and Exchange 2013/Office 365

Published: 2013-10-08
Updated: –
Version: 1.0

This post will focus on having the technical prerequisites ready and in place for a successful Domino/Notes coexistence deployment.

Before going into any details, if you are planning to do have a coexistence scenario between Domino and Exchange, you may consider to use Dell Software’s Coexistence Manager for Notes. One important thing to mention is that there is a requirement from the vendor, to use certified people for the project.

This blog post is based on Coexistence Manager for Notes version 3.5.0.29

Read the other parts:

Part 1: Migrations – Overview
Part 2: Prerequisites for Domino/Notes migrations
Part 3: Migrating Domino/Notes to Exchange 2013 On-premise
Part 4: Migrating Domino/Notes to Office 365
Part 5: Migrating Resources Mailboxes, Mail-In databases and Groups
Part 7: Configuring Coexistence Manager for Notes with Exchange 2013 On-premise
Part 8: Configuring Coexistence Manager for Notes with Office 365
Part 9: Prerequisites for Migration Manager
Part 10: Migrating User Mailboxes from Exchange 2003 to Exchange 2013 using Migration Manager
Part 11: Migrating User Mailboxes from Exchange On-premise to Office 365

Service Accounts

Some service accounts are needed when using the coexistence software, as outlined below.

Mail connector

No specific account with permissions is required.

Free/Busy

For looking up the free/busy information, we need read access on both sides. One regular Exchange mailbox/Office 365 mailbox and one regular Domino mailbox.

One thing to keep in mind when established coexistence between on-premise Domino and Office 365 is that an additional namespace needs to be introduced for having the requests to use Autodiscover and find the route back. If that for any reason can’t be implemented a hybrid solution is the only possible way of solving it. More info about this in the upcoming post.

Directory connector

The service account used for directory sync should be a member of the Domain Admin and Organization Management groups to provide the rights to Active Directory (or delegated write permissions to the specified OU).
On the Domino side, a regular account can be used with read permissions through LDAP to the different address books that should be synced. Write permissions is only required if synchronization should take place from AD to Domino. Note that the Internet password needs to be configured for this account.

One thing to keep in mind is that synchronizing the Domino objects directly to Office 365 is not supported. However, this can be done in a two-step procedure by directory synchronizing them from Domino into the local Active Directory and then use the Microsoft Office 365 dirsync tool for having them in Office 365.

Note: Target Active Directory server must have the Exchange schema extensions for being able to create mail contacts.

Availability Address Space

One thing that’s required for free/busy lookups is that the availability address space is configured. This is done either in the on-premise Exchange or Office 365.

The cmdlet for doing it on-premise:

Add-AvailabilityAddressSpace -ForestName <smtpdomain>
-AccessMethod OrgWideFB

For doing this in Office 365, run the following cmdlet:

New-AvailabilityConfig –OrgWideAccount questmsn
$domain = "<YourHostDomain>.onmicrosoft.com"
$adminUserId = "<YourID>"
$adminCredsId = "<YourUserName>"
$adminCredsPassword = "<YourPassword>"
$securePassword = ConvertTo-SecureString
$adminCredsPassword -AsPlainText -Force
$adminCreds = New-Object
System.Management.Automation.PSCredential($adminCredsId,$securePassword)
Add-AvailabilityAddressSpace -AccessMethod OrgWideFB -ForestName
<YourDomain.com> -Credentials $adminCreds -TargetAutodiscoverEpr
'https://autodiscover.<YourDomain.com>/autodiscover/autodiscover.xml'
Office 365

If CMN is using in an on-premise deployment, I would recommend or at least consider using internal PKI for the certificate, since the certificate chain can easily be deployed using Group Policy’s.

But in the case of having coexistence between on-premise Domino and Office 365, the freebusy requests to the CMN server(s) will come from an external part (Office 365) and they don’t trust your internal PKI solution, so it’s a requirement of buying a certificate from a trusted root vendor.

SQL Server

With version 3.5.x of Coexistence Manager for Notes (CMN), now uses SQL Server for its configuration and collected data.

The Native Client needs to be installed together with SQL Server 2005 or SQL Express 2005, or newer.

In my lab environment, I’m running SQL 2008 R2 Express on my Coexistence server. In larger environments, the databases can be placed onto a SQL cluster/server instead of having them locally.

If you, however, choose to use SQL Express, make sure to take backups of the databases.

Lotus Notes client

If you are going to use the ActiveMail feature, I recommend using the Lotus Notes version 8.0.0 (Basic version, Eclipse is not supported). However, Lotus Notes version 7.0.3 and 7.0.4 can also be used if you don’t have the 8.0.0.

The installation of Lotus Notes should be done in single-user mode.

.NET Framework 4

Make sure to install the .NET Framework 4 since this is a prerequisite for CMN. I would also recommend upgrading it with the latest service pack level.

Internet Information Services (IIS)

Install IIS together with the ASP.NET 4.0 feature and use a certificate with a matching “CN” name for the Quest Autodiscover Host Name value.

This certificate is used when clients sends its requests between the systems.

Antivirus

There are NO known folders that should be excluded from the Antivirus file-level scanning

Regional Settings

For being able to install the software, be aware that regional settings and language settings need to be configured to “English”.

Windows Firewall

It’s recommended to turn OFF the Windows Firewall for all CMN servers. If that’s not possible, make sure to open all the needed ports. The port list can be found below.

User Account Control (UAC)

It’s recommended to disable UAC on all CMN servers.

This is done in the Control Panel under User Accounts, Change User Account Control settings.

Make sure to set it to “Never notify” and restart the sever before installing the software.

Data Execution Prevention (DEP)

It’s recommended to disable DEP, so make sure to do that.

If you’re using Windows 2008 R2 like I do, then you disable DEP by running:

"bcdedit /set nx AlwaysOff"

Also, make sure to restart the server when this is done to allow it to take effect.

Network Ports
Port In/Out Type Source Target Description
25 In SMTP Domino/Exchange CMN Server(s) Incoming SMTP
25 Out SMTP CMN (SMTPl) Domino/Exchange Outgoing SMTP
389 Out LDAP CMN (Dirsync) Active Directory DCDomino LDAP Server LDAP
3268 Out LDAP GC CMN (Dirsync) Active Directory DC LDAP GC
636 Out LDAPS CMN (Dirsync) Active Directory DC LDAPS LDAPS
3269 Out LDAPS CMN (Dirsync) Active Directory DC LDAPS LDAPS GC
80 Out HTTP CMN (Freebusy) Exchange CAS servers HTTP
443 Out HTTPS CMN (Freebusy) Exchange CAS servers HTTPS
80 In HTTP Exchange CAS servers, Office 365 CMN (Freebusy) HTTP
443 In HTTPS Exchange CAS servers, Office 365 CMN (Freebusy) HTTPS
8900 Out Availability Service Domino Qcalcon server Exchange CAS servers Availability
8960 In Qcalcon Domino Qcalcon server CMN (Freebusy) Qcalcon
8961 In Qcalcon Domino Qcalcon server CMN (Freebusy) Qcalcon
1352 Out Domino CMN (Freebusy, Dirsync) All Domino servers Freebusy lookup
8962 Out PF Reader CMN (Freebusy) Exchange PF Exchange reader service
1433 In SQL CMN servers CMN SQL instance SQL
Notes from the field

Network Monitoring or Wireshark may sometimes be your best friend during troubleshooting network connectivity.

Portqry is another tool that could be of great value during initial network verification.

A good log reader, my favorite is the old tool that was included in the SMS 2003 resource kit called trace32.exe. It can be downloaded here.

Read the other parts

Part 1: Migrations – Overview
Part 2: Prerequisites for Domino/Notes migrations
Part 3: Migrating Domino/Notes to Exchange 2013 On-premise
Part 4: Migrating Domino/Notes to Office 365
Part 5: Migrating Resources Mailboxes, Mail-In databases and Groups
Part 7: Configuring Coexistence Manager for Notes with Exchange 2013 On-premise
Part 8: Configuring Coexistence Manager for Notes with Office 365
Part 9: Prerequisites for Migration Manager
Part 10: Migrating User Mailboxes from Exchange 2003 to Exchange 2013 using Migration Manager
Part 11: Migrating User Mailboxes from Exchange On-premise to Office 365