Office 365: Email address with random numbers attached UPN (user123@contoso.onmicrosoft.com)

Why do some of my users have random numbers attach with their UPN? Well the only answer to this question is, duplication occur because you haven’t force delete the old account from Office 365 recycle bin. And by default there is a setting in Azure AD to detect duplication is set to false, so this is another reason that even there are duplication in AD created and a sync has been trigger the duplication will also be sync to the Office 365.

To prevent any duplication in future to be sync to the Office 365, is to set the duplication checking in Azure AD to true. So that any duplication is scan will be rejected to be sync to the Office 365. To resolve the duplication currently having is to delete the account and resync it to Office 365.

*Note: These random numbers in your smtp has no implication or effects to your mailbox/account, but it is only not nice to see it that way. It is up to your choice to do it or not.

*Azure Module Power Shell needed

  1. Open Azure power shell
  2. Type the following command to get the sync feature

Connect-MsolService

Get-MsolDirSyncFeatures

dirsyncfeature

3. Next, enable both of the feature to true

Set-MsolDirSyncFeatures -Feature DuplicateUPNResiliency -Enabled $true

Set-MsolDirSyncFeatures – Feature DuplicateProxyAddressResiliency -Enabled $true


*Note:

Situation 1: If the mailbox is still new, you will only need to delete the account and force delete from the recycle bin, then do a resync 

Situation 2: If user have the mailbox for very long, you have to break the dirsync wait for the account’s status change from “Sync from on premise” to “on cloud“, then from Office 365 you can edit its smtp address but make sure you have your recycle bin clear from the old account. (Yes this is much troublesome than Situation 1)


Step by step for situation 1

  1. Locate the account from Office 356
  2. Unassign the mailbox license
  3. At Active Directory, move the account to a unsync organization unit
  4. At Azure AD Connect, run a manual sync command

Start-ADSyncSyncCycle -PolicyType Delta

5. Make sure the account at Office 365 has gone to the “Deleted User” Category

6. Once the account has been appear in “Deleted User” Office 365, you have to run a command to force deleted from the recycle bin.

7. Open Azure Module PowerShell

8. Type the following command, enter the UPN that you wish to remove from recycle bin

Connect-MsolService

Get-MsolUser -ReturnDeletedUser

Get-MsolUser -ReturnDeletedUser | Remove-MsolUser -UserPrincipalName xxxx@domain.com -RemoveFromRecycleBin -Force

9. After finish remove the account from recycle bin, move back the account from unsync Organization Unit to Sync Organization Unit

10. At Azure AD Connect, run the manual sync command

11. At Office 365, locate the account and assign license

12. You can notice there is no more random numbers found


Step by Step for Situation 2

*Make sure recycle bin is clear from duplication accounts

  1. Open Azure Module PowerShell
  2. Type the following command, enter the UPN that you wish to remove from recycle bin

    Connect-MsolService

    Get-MsolUser -ReturnDeletedUser

    Get-MsolUser -ReturnDeletedUser | Remove-MsolUser -UserPrincipalName xxxx@domain.com -RemoveFromRecycleBin -Force

  3. Open Azure Module Powershell
  4. Type the following command

Connect-MsolService

Set-MsolDirSyncEnabled -EnableDirSync $false

3. You probably have to wait for 24hr to 48hrs for the dirsync to complete progress

4. At Office 365 > Exchange Online > Recipients > Mailbox

5. Search for the account > Double click on it

6. Go to Email Option > select the smtp address to edit

7. Remove the random numbers from the smtp address

8. Save your changes

*Make sure you put this to lab test before trying it out in actual environment, just to get clear understanding what are you doing

 

References:

  1. https://support.office.com/en-us/article/Turn-off-directory-synchronization-for-Office-365-ee5f861e-bd48-4267-83d1-a4ead4b4a00d

Office365, Exchange, Azure, AD: Why you should always check your Office365 Recycle Bin?

Every human mistake is they never check what is inside their recycle bin before proceeding.

The very first thing you should do when you want to create a user is to check your Office 365 recycle bin! Why? Because is best to avoid another problem for yourself unless you are the problem. To also avoid duplication occur in Office 365.

Imagine yourself hitting the brick wall by creating and deleting repetition of a particular user account, setting yourself in panic moment and continue getting errors such as,

  1. Unable to get the user account to sync up to Office 365
  2. Incorrect user principal name
  3. Worst -> Incorrect Immutable ID

So ALWAYS CHECK OFFICE 365 RECYCLE BIN BEFORE PROCEEDING TO CREATE!

Office 365 & Azure Powershell: Why not to use -SearchString pipe to Set function command?

Even though that you type the following command and it return you a single result, and you thought that it would work but it will not work.

Example:

  1. First you try to get the user, and you able to retrieve a result

Get-MsolUser – SearchString “abc”

#Result
Name                     UserPrincipalName
———                     ——————————-

abc                           abc@domain.com

2. After getting the user, you try to pipe it to a Set function. However, you receive an error like below; this error indicates an exception is trigger in Microsoft  backend and prevent such command to proceed.

Get-MsolUser -SearchString “abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa@domain.com”

#Result

Set-MsolUserPrincipalName : Unable to update parameter. Parameter name: IMMUTABLEID.
At line:1 char:44
+ … abc” | Set-MsolUserPrincipalName -NewUserPrincipalName “aaa…
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUserPrincipalName], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online.Admi
nistration.Automation.SetUserPrincipalName

3. So the correct way to do it is to either

Get-MsolUser -UserPrincipalName “abc@domain.com” | Set-MsolUserPrincipalName -NewPrincipalName “aaa@domain.com”
OR

Set-MsolUserPrincipalName -UserPrincipalName “abc@domain.com” -NewUserPrincipalName “aaa@domain.com”

*Note: Please test it out before you implement

Azure AD Connect (AADC): How to resolve Stopped-extension-dll-exception?

Usually this error will not have any effect to Office 365 Dirsync, but it is indeed annoying to see error in our Azure AD Connect Sync Client Interface. Is best to resolve this error.

There are only 4 possible causes;

  1. AADC is OUTDATED ()
    • Check for AADC version
    • If it is outdated than update it, run the sync again
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version
  2. AADC’s schema crashes
    • Run the AADC application and restart the schema
    • Reference: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-installation-wizard
  3. Azure AD account Sync password is not set to “Password Never Expired”
    • *Note: By default, when you setup AADC this is already turn on
    • If you had turn this feature off,you have to update the password and enable the feature back on.
    • Run Azure PowerShell Module command
      • Connect-MsolService
      • #Set new password
        Set-MsolUserPassword
        -UserPrincipalName “XXXXXXX” -NewPassword “pa$$word
      • Set-MsolUser -UserPrincipalName "XXXXXXXXX" -PasswordNeverExpires $true
      • Restart the AADC service
      • #After restart runs finish, type this command
        Start-ADSyncSyncCycle -PolicyType Initial
  4. Server itself is having problem
    • Restart the server
  5. Permission missing
    • If you enable single sign-on, remember its minimum requirement of the permission rights for service account is domain admin
  6. DNS routing issue
    • If you notice that you are having trouble resolving “login.windows.net” this is due to your DNS settings in your DNS server/AADC server network settings
    • Most likely is DNS server settings, is configure wrongly
    • Try to run nslookup to identify the return result
    • If there is a forwarder in place, remove it.

The above causes are also the steps-by-steps investigation, and to resolve this error it is best to follow the above category and resolving them.

*Note: This error may occurs after few hours and it is best to monitor for 24 hours or 48 hours.

AD & Office 365: Soft-matching Distribution List from AD to Office 365

Want to manage your cloud Distribution List with on-premise? You could do soft-matching to get Distribution list match and synchronized back  to Office 365.

Yes, to perform this you could either manually or powershell. Manually means that you will configure using the GUI of AD. For powershell is for a large amount of Distribution List.

The 3 major attributes needed to fulfill in AD for having a successful soft-matching are;

  1. displayName
  2. mail
  3. proxyAddresses

*Note: 3 of these attributes above must have the same value with the Distribution list in Office 365.

softmatch.PNG

Next, after finishing fulfilling the values of these 3 attributes, you can go ahead to your Azure AD server (AADC) and run the sync.

  1. Open Windows Powershell or open Microsoft Azure Powershell Module
  2. Type this command
    1. Start-ADSyncSyncCycle -PolicyType Delta

      • *Note: This only sync changes
    2. Check your Azure Sync Client Interface for sync progress
  3. Once sync progress is finish, go to your Office 365 portal
  4. At the admin center > Groups > Search for your Distribution list

References:

  1. https://gallery.technet.microsoft.com/Soft-Match-Cloud-b2652fee

Vectra: AI Threat Detection (Live Threat Detection)

Many industries are either in the prevent or in the forensic stage to resolve their threat. However, non are detecting active threats running in the enterprise. Thus, this will lead to huge implication to the enterprise.

vectra-logo-og

Vectra is an Artificial Intelligent (AI) Threat Detection and Response. How cool is that?

Vectra uses algorithm to detect threats, instead of using a Database of threats to identify threats in the network environment.

What does Vectra do ;

  1. Is that it always keeps tracks of packets following in and out of the premises
  2. Detects types of threat that is found on a packet
  3. Keep tracks of the packet threat stage
  4. Provide “From” and “To” details of the transmission of packets
  5. Alert the premises’s technical team about threat
  6. Allow premises’s technical team to determine what types of threat to detect on packets

2 types of flow of compromise of threats;

vectra1.png

  • Procedure steps threats
    • Go through number of stages to extract confidential data
  • Direct attack threats
    • Extract confidential data directly once compromise

These are the summarize definition of the image above (stages of threats);

Command & Control Botnet monetization Internal reconnaissance Lateral Movement Exfiltration
•C&C

•Cyber admin  coordinate an attack over time

•Commonly associated with click fraud, sending spam or generating DDoS traffic at a target

Consume valuable resources

Damage the external reputation of the network

•Target is not an organization’s more critical assets

•Vital part of a targeted attack

•Begins shortly after an initial infection

•Allow Cybercriminals orient an attack inside a network and identify targets for lateral movement

•Establish multiple points of persistence in a network while moving deeper toward key assets Extract compromised data from inside a network to a remote external attacker

•Multiple hops or staging phases to evade security controls

Is good to know that there is a technology that could help enterprise to avoid threats attack first before being compromised.

Vectra detects Active Attacks;

v1

Below is a graph of how most organization focus on which phases more to protect their environment from threats,

v2.png

References:

  1. https://vectra.ai/understanding-todays-cyber-security-challenges

Office 365: Synchronized/Migrated user showing wrong UPN in Office 365

Oh no! I forgot to change/set the user’s UPN correctly before migration! Even a simple job we could get it wrongly. Thus, this will lead you to panic. Well, if you are panic, just take a deep breath.

Usually, such problem we resolve it by breaking/disable the DirSync so that the user’s status change from “Sync from on prem” to “cloud”. So that if we could make the changes at the Office 365, without interrupting the on-prem. However, this kind of solution is troublesome because it takes hours for the DirSync to complete disable and waiting for the user’s status to change. When I mean by hours, depends of the amount of users you have at Office 365. The larger the amount the longer it takes for the time taken for the DirSync to complete disable and for the user’s status to change.

Here are the problems we faced:

  1. Forgot to set the email policy
  2. Forgot how to set email policy
  3. Set the wrong email policy
  4. Highly confident and doesn’t double check
  5. Doesn’t do enough research about preparation of migration

Lucky for me that I have found a way to solve this kind of clumsiness, please refer to the reference given below.

Note: This solution is only for clumsy situation. Don’t put it into your planing of migration, because this will make you feel like a total blockhead in front of your customers. Please do not take it in as a habit.

Reference:

  1. http://www.codenutz.com/office365-changing-the-main-login-name-for-upn-for-a-user-via-powershell/

[Old Version] Azure & Office 365: How to enable RMS?

Aloha (Hello)…I know there is the new feature from Microsoft, Azure Protection P2 where users can protect their attachments and etc. For short, double protection. This feature is actually another license (Azure License) is not include in the Enterprise licenses. Thus, you have to purchase it separately.

Anyway, this article is only for users/customer that doesn’t need double protection/smaller industry. I am more comfortable to activate RMS using the Azure classic portal;

Step by steps;

  1. Go to https://manage.windowsazure.com
  2. Key in your global admin credentials
  3. Click on Active Directory
    1. azureportalv1.png
  4. At the top bar, select Rights Management
    1. azureportalv2
  5. In the Rights Management page you can view whether your RMS is Active or Deactivate
  6. To activate it there is a button at the bottom bar of the page
  7. If you wish to manage it or create new policy, you can just go ahead and click on the RMS that you just activate it.
  8. Note: If you wish to manage or create new policy, please seek for advice from Microsoft Support for further understanding.
  9. Note:Please review the below Reference to fully activate RMS that is in need of using Powershell to complete.
  10. Note: Default RMS policies are unable to be deleted.

Reference:

  1. https://docs.microsoft.com/en-us/information-protection/deploy-use/activate-azure-classic
  2. https://blogs.technet.microsoft.com/canitpro/2015/05/19/step-by-step-setup-and-enablement-of-office-365-message-encryption/

Office 356: How to export list with licenses details and smtp details via PowerShell?

I know I am not the best coder but I always like to find the simplest coding way so it is easier for beginners to not feel frustrated.

I do find it confusing when you got an error in your exported csv file of the list.

System.Collections.Generic.List`1[System.String]

*Note: This is basically only for attributes which contain more characters/words or more than a word (means there are “:” or “;” as a divider), such as the value in accountskuid attribute is {contoso:enterprisepackage}.

For example;

  1. If you try to export a list of user from office 365, as a logical thinker you would probably type such code;

    Get-MsolUser -All | Select userprincipalname, proxyaddresses, licenses.accountskuid | Export-csv list.csv

However, this code will not get you what you want, instead it will give you the error.

The proper code should be:

Get-MsolUser -All | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | export-csv list.csv

The “licenses.accountskuid” means a class named licenses in office 365 system, inside it has an attribute name, “accountskuid”. You have to do it this way to get/call/pull out the attribute you wish to be propagated in your csv file.

If you wish to test out my code whether it works, then it is best for you to replace “-All” with “-MaxResults”(Means display max result among the list of users).
Example;

#This will only display 1 user with license assigned

Get-MsolUser -MaxResults 1 | Select userprincipalname, {$_.proxyaddresses}, {$_.licenses.accountskuid} | where {$_.islicensed -eq $true} | export-csv list.csv

There are lots of ways to do so. You could use the fancy way that is using the “-expandproperty” or “-properties” and etc.
Coding is up to your comfortably and understandable.

References:

  1. https://mymicrosoftexchange.wordpress.com/2015/03/23/office-365-script-to-get-detailed-report-of-assigned-licenses/

Skype for Business: How to setup QoS at client side?

Well there are 2 ways you could perform this is by editing the client’s computer (local group policy) or push the settings using group policy management.

Anyway, both of these methods or steps are similar and simple to setup.

*Note: A wrong value can causes the QoS not running correct

Steps for local group policy;

  1. Make sure you are login as local administrator on your computer
  2. Go to > Start > Search > Group policy
  3. At the group policy > computer configuration > Windows settings > policy QoS settings
  4. Create new policy
  5. Just follow the below image to create total of 5 QoS policies

sfb2

6. During creating the policy, just change which is necessary. Leave the others as default.

7. Do a restart of the computer (I always do this)

Steps for  GPM;

  1. Open GPM
  2. Create a new GPO and name it
  3. Right click the GPO and click edit
  4. At the group policy > computer configuration > Windows settings > policy QoS settings
  5. Create new policy
  6. Just follow the below image to create total of 5 QoS policies

sfb2

7. Link this GPO to the OU you wish to have this GPO implemented

8. After that remember to do gpupdate /force on both the server and the client computer

For testing;
1. Install wireshark

2. Select the network you connected and Start the wireshark (Start Capture traffic)

3. Start your skype for business audio call or video call, or both within the same network. Do a peer-to-peer communication.

4. Talk to the audio or make some sound for a minute or 2.

5. End the skype for business call (audio or video)

6. Stop your wireshark

7. Save your traffic

8. You should be able to see your QoS is working

 

wireshark.png

References:

  1. https://three65.blog/2015/09/07/skype-for-business-configuring-quality-of-service-qos/
  2. https://gallery.technet.microsoft.com/office/Configure-QoS-for-Skype-cdea2e67
  3. https://gallery.technet.microsoft.com/lync/Configure-QoS-for-Skype-cdea2e67