Exchange Online and PowerShell: How to extend Max Sent Size for your users in bulk?

Hey Guys and girls hope you all are taking care of your health and staying safe during this Covid-19 situation.

So here is just a simple blog post that I’m going to write about, if you are going to do some big changes towards your user’s mailbox features, of course PowerShell is the right method to perform.

As you may know that Microsoft have extend the max size of send message to 150MB, this is not default size but is a allow size for your necessary.

Here is the code;

#First you got to connect to the Exchange Online PowerShell to get the commands

Connect-ExchangeOnline -UserPrincipalName <Global admin UPN> -ShowProgress $true

#You would want to get the primary ID which is the recipient type details because you are going to make changes on the user mailboxes, this code will gather all mailboxes that are UserMailbox type and the change will take in.

Get-Mailbox -RecipientTypeDetails UserMailbox | Set-Mailbox -MaxSendSize 50MB -Verbose

#Next to get confirmation that all users has apply the change, write out the result or you could export it to csv, using the Export-Csv command

Get-Mailbox -RecipientTypeDetails UserMailbox | Select Name,MaxSendSize

That is about it! Simple as that!

References:

  1. https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
  2. https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#message-limits

PowerShell: PowerShell with MFA

It seems that more users are heading to enabling MFA but when it comes to managing via PowerShell, it can’t seem to login with their credential on normal PowerShell module.

When you have MFA enabled, you got to install the module  that’s support MFA. Pretty extra right? haha yea I know. Administrators tends to prefer GUI to manage but on other occasion we still need PowerShell to manage our cloud services.

To search for the PowerShell module tends to be a little tricky but hey I’m here to help you.

So enough of chit chat….let’s get it on!

First of all you got to open up your Exchange Online Portal > hybrid > Select the second option; Not the first option!

Capture

Note:

*Make sure your laptop or computer has the latest .Net Framework to support this module and supported Windows Operating System.

Once you got it install it will create a shortcut for you;

Capture

Anyway, do expect the Connect command will be the same as the usual PowerShell module.

Connect-EXOPSSession – Exchange Online

Capture.PNG

Connect-IPPSSession – Security and Compliance

Capture

References:

  1. https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps

PowerShell Script: Schedule Litigation Hold Enabled Exchange Online

To share how to perform enabled litigation hold for User Mailbox using task scheduler. However, this may trigger your security application/detection in your environment (a.k.a “Unexpected script ran….”). This blog requires you to know how to use Task Scheduler.

*Note:

  • If you don’t specify license type in your script, is alright, the script will skip that user and move on with another one.
  • Some license doesn’t provide the litigation hold feature, such as E1 license.
  • This script is not a limited capability.

There are pretty much lots of ways you could perform this.

  1. You could perform based by checking on the user’s creation date and litigation hold status.
  2.  You could perform based by checking on the user’s department and litigation hold status
  3. You could perform based by checking only the litigation hold status
  4. You could perform based by checking the license type and litigation hold status
  5. You could perform based all 4 above

Well, it all depends on the requirements and necessary in the environment.

When I was scripting it, I notice if to perform manually running the script is best to make use “function” type, to avoid duplication. Anyways,

If you are planning to have this in task scheduler, you could have this PowerShell script save in any windows platform that has Windows PowerShell with the required module installed.

Before moving on, 

You would need to manually run a retrieve of office 365 global admin credential, save and encrypted into a file. If you are terrified of the file being accessed by others, just make some security adjustments towards the file. 

References:

  1. https://practical365.com/blog/saving-credentials-for-office-365-powershell-scripts-and-scheduled-tasks/
#Name: Sabrina Kay
#Purpose: This powershell is to enabled litigation hold

function Run-LitigationHoldEnabled{
#Parameter to get the path
param([string]$FilePath)

#retrieve the path
$File = Get-ChildItem -Path $FilePath -Filter *.cred

#Identify the file path iss found
if($File -eq $true){

#Have to convert to string, or get only the name, because the type is File System type
$UserName = $File.BaseName
$PwdSecureString = Get-Content "$($FilePath)\$($UserName).cred" | ConvertTo-SecureString

#Create a storable attribute object for username and password, (passsword won't be shown in plain text)
$UserCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $PwdSecureString

#Connect to Exchange Online
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
#Get user mailbox with litigation hold not enabled, set them to enabled
Get-Mailbox -RecipientTypeDetails UserMailbox | where-object {$_.litigationholdenabled -eq $false} | Set-Mailbox -LitigationHoldEnabled $true

#Finish and end session
Remove-PSSession $Session
}

Else{
#End Session if file path not found
    Remove-PSSession $Session
    }
}

#Main Program
#attribute for the office 365 credential file path
$KeyPath = "C:\xxx\"

#Task to run
Run-LitigationHoldEnabled -FilePath $KeyPath

Exchange Hybrid, Exchange Online & Outlook: How to get more email storage space?

Well currently, most enterprise users are using local storage to save their emails. For those whom are on SSD storage would be a problem and also goes for normal HDD storage uses.

What is online archive? Online archive is basically like your local/normal archive feature that you usually sees on your outlook but instead it is online/cloud and it provides 1TB of space. If the organization did enable this and they probably would also enable retention policy, this is just set a policy to automate moving primary emails to the online archive based on a range of period. Anyway, this is up to the organization settings and decision.

*Note: Retention Policy has many functionality and it is also part of security related

To have online archive your organization must have license like Office365 ProPlus, E3, Office365 Business or Office365 Business Premium.

How to enable online archive?

  1. If the organization is in a hybrid environment, using Exchange 2016 and Exchange Online, as the IT Admin could enable the online archive from exchange 2016.
  2. If the organization is in a hybrid environment, using Exchange 2013 (as a bridge for migration to exchange online) and had older version of exchange too than as IT admin you could only enable online archive via Exchange Online. This is because there could be possible is the unique id causes. (not much of issue if you have plans to upgrade exchange 2013 to exchange 2016)
  3. If the organization is fully utilize Exchange online only, than as IT Admin you could enable online archive from exchange online > recipient > select specific recipient > mailbox feature.

*Note:

  1. If you would wish to bulk enable, than perform using powershell, but there are other categories in Office 365 you could enable the online archive, such as from security and compliance.
  2. If you would wish to disable it and wants to use back only the primary mailbox than below is a reference on how to perform it.

Reference:

  1. https://technet.microsoft.com/en-us/library/archive-features-in-exchange-online-archiving.aspx
  2. https://docs.microsoft.com/en-us/office365/securitycompliance/enable-archive-mailboxes
  3. https://docs.microsoft.com/en-us/office365/securitycompliance/unlimited-archiving

Office 365: How to handle resign user mailbox with litigation hold enabled?

Litigation hold is a feature that allows you to keep your mailbox with specific period or unlimited period. However, this is only the high level definition of litigation hold. Through out my deep and many research of Microsoft articles, especially technet it only state high level of definition of litigation hold but nothing about notices.

Few weeks ago I’ve encounter one of my user reported to me, saying that they have a user account that is disable (in Active Directory)blocked sign in and unlicensed but the mailbox still in active state and able to send (etc inbox forwarding rules) and receive mails and also able to login if with full access. After few research, I found a Microsoft article (support article “https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7“) , about how to handle inactive mailboxes. However, it still didn’t state why it happens or how this mechanism works.

We call this as deprecated account but active mailbox. I really hope that Microsoft could do something about this as it seems to me it is pretty troublesome to go extra further step to handle this, and also hope that they could elaborate more about litigation hold pro and cons or how this mechanism works.

*Note:

Please take note if you have mailboxes with unlimited litigation hold enabled, and user account in Active Directory is disable but in a sync Organization Unit, please move them to a unsync organization unit IMMEDIATELY or else it will full up the mailbox storage. 

To check whether which Organization unit is unsync;

  1. Just go to your Azure Active Directory Server
  2. Windows Start button
  3. open MIISCLIENT or Synchronize Services
  4. On top select “Connection”
  5. double on your local domain
  6. select Configure Directory Partition
  7. at the bottom right button
  8. select “Containers”
  9. enter Azure Active Directory credential
  10. you will able to view unchecked boxes means they are the unsync organization unit.

 

References:

  1. https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7
  2. https://technet.microsoft.com/en-us/library/ff637980(v=exchg.160).aspx#lithold
  3. https://technet.microsoft.com/library/dn743673(v=exchg.150).aspx
  4. https://technet.microsoft.com/en-us/library/dn790612.aspx

 

Office 365 & Exchange Online: Why have to be careful with Mail Flow Rules?

Many thought that even they are from programmer background or any Technical background could achieve to implement 101% accurately correct mail flow rules, based on a programmer mindset. However, by having such thoughts will bring risks to yourself and the company itself.

*Note: If you’re not familiar of the product, then please try not to play around with it in production environment. Always, start off with research and lab testing.

Mail flow rules brings huge impact to your organization’s mail flow with slight incorrect configuration of a rule. Example, mails send to only Department B, aren’t suppose for Department A to be view but then Department A somehow able to view mails that is for Department B. However, this causes data leak within organization.

 

Is best to spend time to understand the product than rather getting yourself in trouble.

 

Reference

  1. https://technet.microsoft.com/en-us/library/jj919235(v=exchg.150).aspx

 

Office 365: Enable Litigation Hold

Litigation hold is a feature in Exchange Online (EOP), to hold on a mailbox even license has been removed or user has deleted. There is also duration setting for how long to hold on the mailbox. The mailbox will stick at Microsoft server forever (unlimited duration).

Why litigation hold? To prevent lost of mailbox with accidental deletion, hold for auditing and act as backup. Anyway, easier for audits to audit/inspect the user mailbox. It is indeed recommended to enable this feature.

*Note:

For a user;

  1. Go to > EOP > Recipients > mailbox
    • step1
  2. Select a user
    • step2
  3. Double click to access to properties, and click on mailbox features, scroll down  and find “Litigation hold” (now is Disabled)
    • step3.PNG
  4. Click enable and save
    • step4.PNG
  5. If you wish to set duration of the hold should last, you could enter the specify number of days. (Yes,  they take in as Days)
    • * If you want it to be unlimited then just leave that box blank and click save
    • step5.PNG
  6. After enable the litigation hold, and it will prompt “this will take effect after 60 minutes”

For all user mailboxes;

*Azure Power Shell is required 

  1. Open Azure Power Shell > Connect to Exchange Online
#This command run once (for permission purposes)
Set-ExecutionPolicy Unassigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

2. Next run the following command to Get only User Mailboxes and enable the litigation hold

a. Unlimited

Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -litigationholdenabled $true

OR

Get-Mailbox -RecipientTypeDetails usermailbox | Set-Mailbox -litigationholdenabled $true

OR

Get-Mailbox -RecipientTypeDetails usermailbox |  where {$_.litigationholdenabled -eq $false} | Set-Mailbox -litigationholdenabled $true

b. With Duration specified

Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -litigationholdenabled $true -litigationholdduration 365

How to check whether litigation is working?

The interface way;

  1. Take a test mailbox with licensed and litigation hold enabled
  2. Remove test license
  3. Wait for half an hour
  4. Go to > EOP > Recipients > Mailbox
  5. At the search box > key in user’s name
  6. Click Refresh icon
  7. You can see that the user mailbox is still there

*Note: At the AD, if you’ve move the user account to another OU which is unsync OU, the user will not appear in the EOP mailbox, instead it will appear as “Deleted mailbox”. This is a normal behaviour. The mailbox is not deleted, it is still attach with the Microsoft server. So don’t worry.

The Power Shell way;

  1. Run this Get Command, to retrieve user mailbox with litigation hold enabled
Get-Mailbox -Filter {RecipientTypeDetails -eq "UserMailbox"} | where {$_.LitigationHoldEnabled -eq $true} | FL

OR

Get-Mailbox -RecipientTypeDetails “UserMailbox” | where {$_.LitigationHoldEnabled -eq $true}

 

References:

  1. https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx
  2. https://technet.microsoft.com/en-us/library/dn743673(v=exchg.160).aspx