Restore Softdeleted O365 Mail box

In this Blog we will see how to Restore an Soft Deleted Mail box in O365


Connect to Office 365 using below powershell commands 

$UserCredential = Get-Credential 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 

Import-PSSession $Session

Command To List all the Soft Deleted Mailboxs.

Get-Mailbox -SoftDeletedMailbox | Select DisplayName,ExchangeGuid,PrimarySmtpAddress,ArchiveStatus,DistinguishedName

Below command to export all the Soft Deleted mail boxes to an Excel

Get-Mailbox -SoftDeletedMailbox | Select DisplayName,ExchangeGuid,PrimarySmtpAddress,ArchiveStatus,DistinguishedName | Export-Csv c:\Softdeleted.csv

From the above command identify the mail box which we are trying to restore and copy the ExchangeGUID

$SoftMailbox = Get-Mailbox -SoftDeletedMailbox <Exchagne GUID>

Mail Box Move request 

New-MailboxRestoreRequest -SourceMailbox $SoftMailbox.DistinguishedName -TargetMailbox <Enter Traget mailbox where to restore mail@contoso.com> –AllowLegacyDNMismatch

To check the Restore Progress 

Get-MailboxRestoreRequest -Identity mail@contoso.com

To get the progress in Percentage Complete 

Get-MailboxRestoreRequestStatistics -Identity mail@contoso.com



Hope this help any one trying to restore Softdeleted mailboxes

Enabling litigation hold on O365

Enabling Litigation hold for O365 users

There are multiple ways to give access to an users who left organization

1) Place mail box in Litigation Hold
2) Convert to Shared mail box.

What is litigation Hold?

Place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also placed on hold. Deleted and modified items are preserved for a specified period or until you remove the mailbox from Litigation Hold.

when you place an Mail box in Litigation hold the mail will be preserved in X amount of days, we can give the mail box access to any person who has re-placed him in the organization.

all these mail boxes will be listed in the Inactive mail boxes and can we and can be attached to respective users who required access to the mails

Below are the commands to place the mail boxes in litigation hold

Connect to O365 power shell before executing below commands

To place an user to Litigation hold

The below command will place an particular mail box under litigation hold for 10 Years

Set-Mailbox ramesh@contoso.com -LitigationHoldEnabled $true -LitigationHoldDuration 3665

The Below command will place mail box under litigation hold for indifinate years

Set-Mailbox ramesh@contoso.com -LitigationHoldEnabled

Enable Litigation hold for all the O365 users

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -LitigationHoldEnabled $true -LitigationHoldDuration 3665

Enable Litigation hold for only not enabled users

Get-Mailbox | Where {$_.LitigationHoldEnabled -match "False"} | ForEach-Object {

$Identity = $_.alias; Set-Mailbox -Identity $Identity -LitigationHoldEnabled $True } 

Convert to Shared mail box

Once the users lefts the organization we can convert his mail box to an Shared mail box and we can retain the License, for shared mail boxes license is not required.
the mail box can be given access to the respective users for the left user's historical mail for compliance purpose   

Set-Mailbox -Identity <MailboxIdentity> -Type Shared

Set-Mailbox -Identity ramesh@contoso.com -Type Shared

Unable to Load Azure active directory power shell Module

Unable to Load Azure active directory power shell Module

When i try to launch Azure Active Directory module it was keep on saying that unable to load the module

 
Checked my Machine configuration by using $PSVersionTable 

Below is my machine configuration 

Name                                             Value
----                                                 -----
CLRVersion                                     2.0.50727.5485
BuildVersion                                   6.1.7601.17514
PSVersion                                       2.0
WSManStackVersion                      2.0
PSCompatibleVersions                   1.0, 2.0
SerializationVersion                        1.1.0.1
PSRemotingProtocolVersion           2.1

My Machine has winrm 2.0 in order to load the azure active directory power module to work we required 

windows management framework 3.0 here is the link to download WMF 3.0  

once the windows management framework 3.0 got installed on my machine Azure active directly power shell got connected with out any issues

Hope this helps any one who are having issues to load the azure active directly power shell. 

Change Primary SMTP address on O365

In this Blog we will how to change Primary SMTP address on O365 which is synced from AAD Connect.

The objects which are synced from AD to O365 we cannot change at O365 level it will throw an " it is beyond users write scope" in order to do this we have to user power shell to change the SMTP address.

let say if we want to change users’ email address from user@domain.onmicrosoft.com to user@domain.com.

Login to windows power shell and connect to O365.

Below are the commands to Login to O365.

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Use the below power shell command

Set-Mailbox user@domain.onmicrosoft.com -WindowsEmailAddress username@domain.com.

Exempt MFA from Corporate network using Azure and ADFS Claim Rules

In this blog we will see how to Exempt MFA additional security for the users from Corporate network and using ADFS Claim Rules.

What is MFA ?

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions

IP Whitelist allows administrators to add an extra level of security and convenience by only requiring users to perform MFA when accessing resources from outside their corporate network. This can be done two ways:

Whitelisting of IP addresses: White-listing of IP Address in Azure portal.

Configuring claim rules in AD FS: Configure ADFS Claim rules to Exempt MFA from Corporate Network

Whitelisting of IP addresses

Login in to https://manage.windowsazure.com

Select Active Directory in the below screen.



Once you select Active Directory search for Office and select Exchange from the below screen.



Select Configure in the Below screen.





Enable Access Rules : ON

Apply to : Depending up on your requirement select All users/Groups

 Rules : Requires MFA when not at work. it will only prompt MFA when users try to access from outside the corporate network.

Rules : Under rules select "click here to define/edit your work network location. it will redirect to other page you have to list out all the Public IP Address of you work Network.



in the below screen under trusted IP's enter all the required IP's to Exempt user for MFA and click Save.



It might take 24 hours to Propagate in all the O365 servers.

ADFS Claim Rules to Exempt MFA

Open ADFS configuration Manager, Click on Edit Claim rules and create new claim rule.






Below is the Claim Rule

"c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]

=> issue(Type = "http://schemas.microsoft.com/claims/authnmethodsreferences", Value = "http://schemas.microsoft.com/claims/multipleauthn");"

Hope this helps!!!!

To Bulk Enable MFA for the O365 users

In this Blog i will show to Bulk enable MFA for the list of user in O365

Below is the command to enable MFA from the list of users. Create an CSV file and list out all the users which needs to be enable MFA

$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$auth.RelyingParty = "*"

$auth.State = "Enabled"

Import-csv C:\test.csv | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $auth}  >C:\test1.csv 

To the get the output of the MFA enable users

$Users=Import-csv C:\test.csv | foreach {get-msoluser -userprincipalname $_.userprincipalname}

$Users| select DisplayName,@{N='Email';E={$_.UserPrincipalName}},@{N='StrongAuthenticationRequirements';E={($_.StrongAuthenticationRequirements.State)}} | Export-Csv -NoTypeInformation c:\test0.csv

Below is the reference link

https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6?ui=en-US&rs=en-US&ad=US

Azure AAD Connect Power Shell Command

In this Blog few Important commands for Daily administrative tasks

Connect to Azure AD

Open Azure Powershell Module and enter below commands to connect.

Connect-MsolService
Import-Module ADSync

Below commnad for any delta changes in AD
Start Delta Sync
Start-AdSyncSyncCycle delta

Below Commnad for Major changes which requires to Sync to O365.
Start Full Sync
Start-AdSyncSyncCycle initial


Remove a user
remove-msoluser -UserPrincipalName sa_test@Contoso.onmicrosoft.com -force

Remove a user from recycle bin
remove-msoluser -UserPrincipalName sa_test@Contoso.onmicrosoft.com -force -RemoveFromRecycleBin

Restore a user from Recycle Bin
restore-msoluser -UserPrincipalName sa_test@Contoso.onmicrosoft.com


Below is the script to force Password synchronization 

$adConnector = "Contoso.com,"
$aadConnector = "Contoso.com - AAD"
Import-Module adsync
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c.GlobalParameters.Remove($p.Name)
$c.GlobalParameters.Add($p)
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Full Password Sync
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-implement-password-synchronization/#trigger-a-full-sync-of-all-passwords