• Users can no longer access the management of a Distribution Group in Outlook
• Synchronized Distribution Groups in Office 365 cannot be modified in Office 365 – as a synchronized object you must update in Active Directory
• Adding external contacts to a synchronized Distribution Group becomes difficult as you cannot synchronize contacts with Azure AD Connect

The solution is relatively simple – convert all Distribution Groups to Cloud objects.

This script was designed to do exactly that.

<#

#########################################################################################

##

## Name:        DG_Cloud.PS1

##

## Version:     1.0

##

## Description: $ Installs required components for Exchange Online Powershell Management

##              $ Creates a “Working” folder for Sea to Sky (C:\STS) for backups.

##              $ Creates an “Exports” folder for the temp files needed to migrate the

##              Distribution Lists.

##              $ Backs up the Distribution List Names and Attributes to DG_Details_Backup.csv

##              $ Backs up the Distribution List Members to DG_Members_Backup.csv

##              $ Capable of running mulitple times and retaining existing backups – creates

##              new backups each time it’s run if any new groups are detected

##              $ Selectively Creates a copy of each Distribution Group called Cloud_$Group

##              that are specifically Distribution Groups and not Mail-Enabled Security

##              groups.

##              $ Deletes the selected Distribtuion Groups from Active Directory

##              $ Initiates an Azure AD Connect to remove the AD objects from Cloud Environment

##              $ Forces wait period of 5 minutes to allow Azure AD to synchronize with Exchange

##              $ Completes process by renaming Cloud_$Group back to original name

##

## Usage:       Execute script in PowerShell with elevated privileges

##

## Author: Jason Zondag

##

## Disclaimer:  Has not been tried in every conceivable environment – always check the results

##              and fall back on the backups created to recreate the Distribution Groups if

##              necessary

##

#########################################################################################

###### ALTERNATIVE CODE FOR MFA LOGIN TO OFFICE 365  ####################################

#Connect & Login to ExchangeOnline (MFA)

$getsessions = Get-PSSession | Select-Object -Property State, Name

$isconnected = (@($getsessions) -like ‘@{State=Opened; Name=ExchangeOnlineInternalSession*’).Count -gt 0

If ($isconnected -ne “True”) {

Connect-ExchangeOnline

}

#########################################################################################

#>

clear

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “!!!!!IMPORTANT!!!!!!” -ForeGroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “!!!!!IMPORTANT!!!!!!” -ForeGroundColor Red

Write-Host “YOU MUST RUN THIS SCRIPT FROM THE DOMAIN CONTROLLER THAT IS RUNNING AZURE AD CONNECT” -ForeGroundColor Red

sleep 5

Write-Host “IF YOU ARE NOT PLEASE USE CTRL + C TO ESCAPE AND RUN FROM THE APPROPRIATE DOMAIN CONTROLLER” -ForeGroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “It’s also important to note that this only affects Distribution Lists and not Mail-Enabled” -ForeGroundColor Green

Write-Host “Security Groups.  Mail-Enabled Security Groups must be handled differently.” -ForeGroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

sleep 15

Pause

Write-Host “Connecting to Exchange Online – installing all required PowerShell Modules and initiaing a connection” -ForegroundColor Green

# ————————————————————————–

# Load PowerShell Modules

# ————————————————————————–

Set-ExecutionPolicy RemoteSigned -Force

Import-Module ActiveDirectory

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-Module -Name ExchangeOnlineManagement -Force

Import-Module ExchangeOnlineManagement

#Connect & Login to ExchangeOnline (MFA)

$getsession = get-pssession | select-object -Property State | select -expandproperty state

If ($getsession -ne “Opened”) {

Connect-ExchangeOnline

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host

Write-host

Write-Host “______________________________________________________________________________________________” -ForegroundColor Cyan

Write-Host “Synchronized Distribution Groups with no ManagedBy settings will be defaulted to Organization” -ForeGroundColor Yellow

Write-Host “Management. This value cannot be translated.” -ForeGroundColor Yellow

Write-host

Write-Host “You must set a default account value to replace Organization Management.” -ForeGroundColor Green

Write-Host “The default account must be a valid licensed address for this tenant.  IE. seatosky@domain.com ” -ForeGroundColor Green

$ManagedByDefault = Read-host “Enter the email address of a valid licensed account for this tenant:”

Write-Host “______________________________________________________________________________________________” -ForegroundColor Cyan

# Disable Azure AD Connect from initiating a sync while this process is underway

Set-ADSyncScheduler -SyncCycleEnabled $false

Write-host “Azure AD Connect Schedule Sync has been disabled temporarily.”

# ————————————————————————–

# Create Working and Export folders

# ————————————————————————–

Write-Host “Creating a Working Directory C:\DG-Migrate and an Exports Directory within the Working Directory” -ForegroundColor Green

# Create a working directory

$orginfo = Get-OrganizationConfig | select -expandproperty Name

$WorkingDirectory = “C:\DG-Migrate\” + $orginfo + “\”

$ExportDirectory = $WorkingDirectory + “ExportedAddresses\”

If(!(Test-Path -Path $WorkingDirectory )){

# if WorkingDirectory doesn’t exist neither does ExportDirectory – create them both

            Write-Host ”  Creating Directory: $WorkingDirectory”

            New-Item -ItemType directory -Path $WorkingDirectory | Out-Null

            Write-Host ”  Creating Directory: $ExportDirectory”

            New-Item -ItemType directory -Path $ExportDirectory | Out-Null

        } else {

# WorkingDirectory may exist but that doesn’t mean ExportDirectory does – create if it doesn’t exist

If(!(Test-Path -Path $ExportDirectory )){

            Write-Host ”  Creating Directory: $ExportDirectory”

            New-Item -ItemType directory -Path $ExportDirectory | Out-Null

}

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “Creating a backup of all AD Synchronized Distribution Lists and placing into the Working Directory” -ForegroundColor Green

# ————————————————————————–

# Export all the Distribution Group Information to a separate file

# ————————————————————————–

$check = (get-distributiongroup | Where {($_.IsDirSynced -eq $true) -AND ($_.RecipientType -eq “MailUniversalDistributionGroup”)})

if ((($check | Measure-Object).count) -ne 0) {

# Not 0 so we found some Distribution Groups to migrate

# We don’t want to overwrite an existing backup set – rename any existing files with a time stamp

    if (Test-Path ($WorkingDirectory + “DG_Details_Backup.csv”)) {

        $filename = ($WorkingDirectory + “DG_Details_Backup.csv”)

        $fileObj = get-item $filename

        $DateStamp = get-date -uformat “%Y-%m-%d@%H-%M-%S”

        $extOnly = $fileObj.extension

        if ($extOnly.length -eq 0) {

            $nameOnly = $fileObj.Name

            rename-item “$fileObj” “$nameOnly-$DateStamp”

            }

        else {

            $nameOnly = $fileObj.Name.Replace( $fileObj.Extension,”)

            rename-item “$fileName” “$nameOnly-$DateStamp$extOnly”

        }       }

$check | select `

    GroupType, `

    SamAccountName, `

    IsDirSynced, `

    @{label=”ManagedBy”;expression={

        ($_.managedby `

        | % { get-mailbox -identity $_ | select-object -ExpandProperty PrimarySMTPAddress } `

        | Where-Object {$_ -like “*@*”}) -join ‘;’}

        }, `

    MemberJoinRestriction, `

    MemberDepartRestriction, `

    ReportToOriginatorEnabled, `

    Description, `

    AddressListMembership, `

    Alias, `

    DisplayName, `

    PrimarySMTPAddress, `

    @{label=”EmailAddressess”;expression={

        ($_.EmailAddresses | Where-Object {$_ -like “*smtp:*” }) -join ‘;’}

        },`

    ExternalDirectoryObjectId, `

    HiddenFromAddressListsEnabled, `

    LegacyExchangeDN, `

    MaxSendSize, `

    MaxReceiveSize, `

    ModeratedBy, `

    ModerationEnabled, `

    PoliciesIncluded, `

    PoliciesExcluded, `

    EmailAddressPolicyEnabled, `

    RecipientType, `

    RecipientTypeDetials, `

    RequireSenderAuthenticationEnabled, `

    WindowsEmailAddress, `

    Identity, `

    Id, `

    Name, `

    DistinguishedName, `

    ExchangeObjectId, `

    Guid `

| Export-CSV ($WorkingDirectory + “DG_Details_Backup.csv”) -NoTypeInformation

sleep 20

    }

else {

    Write-Host “There are no appropriate Distribution Lists to migrate.  Cancelling migration.”

    Break

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “Creating a backup of Distribution List Membership and placing in the Working Directory” -ForegroundColor Green

# ————————————————————————–

# Export all the Distribution Group Members to a separate file

# ————————————————————————–

$output = @()

$Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select Name,PrimarySmtpAddress,Managedby,GroupType,RecipientType

If ($Identities) {

Foreach($group in $Identities) {

    $Members = Get-DistributionGroupMember $group.PrimarySmtpAddress -resultsize unlimited

    if (@($Members.count) -eq 0) {

        #$managers = ($group | Select @{Name=’DistributionGroupManagers’;Expression={[string]::join(“;”, ($_.Managedby))}})

        $userObj = New-Object PSObject

        $userObj | Add-Member NoteProperty -Name “DisplayName” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Alias” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “RecipientType” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Recipient OU” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Primary SMTP address” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $group.Name

        $userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $group.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group Managers” -Value $managers.DistributionGroupManagers

        $userObj | Add-Member NoteProperty -Name “Distribution Group Type” -Value $group.GroupType

        $userObj | Add-Member NoteProperty -Name “Distribution Group Recipient Type” -Value $group.RecipientType

        $output+=$UserObj

        }

    else {

    Foreach($Member in $members) {

        #$managers = $group | Select @{Name=’DistributionGroupManagers’;Expression={[string]::join(“;”, ($_.Managedby))}}

        $userObj = New-Object PSObject

        $userObj | Add-Member NoteProperty -Name “DisplayName” -Value $Member.Name

        $userObj | Add-Member NoteProperty -Name “Alias” -Value $Member.Alias

        $userObj | Add-Member NoteProperty -Name “RecipientType” -Value $Member.RecipientType

        $userObj | Add-Member NoteProperty -Name “Recipient OU” -Value $Member.OrganizationalUnit

        $userObj | Add-Member NoteProperty -Name “Primary SMTP address” -Value $Member.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $group.Name

        $userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $group.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group Managers” -Value $managers.DistributionGroupManagers

        $userObj | Add-Member NoteProperty -Name “Distribution Group Type” -Value $group.GroupType

        $userObj | Add-Member NoteProperty -Name “Distribution Group Recipient Type” -Value $group.RecipientType

        $output+=$UserObj

        }

    }

   }

   # We don’t want to overwrite an existing backup set – rename any existing files with a time stamp

    if (Test-Path ($WorkingDirectory + “DG_Members_Backup.csv”)) {

        $filename = ($WorkingDirectory + “DG_Members_Backup.csv”)

        $fileObj = get-item $filename

        $DateStamp = get-date -uformat “%Y-%m-%d@%H-%M-%S”

        $extOnly = $fileObj.extension

        if ($extOnly.length -eq 0) {

            $nameOnly = $fileObj.Name

            rename-item “$fileObj” “$nameOnly-$DateStamp”

            }

        else {

            $nameOnly = $fileObj.Name.Replace( $fileObj.Extension,”)

            rename-item “$fileName” “$nameOnly-$DateStamp$extOnly”

        }       }

    $output | Export-CSV ($WorkingDirectory + “DG_Members_Backup.csv”) -NoTypeInformation

   }

# ———————————————————————————————-

sleep 15

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

# ————————————————————————–

# Create the Cloud copies of the Distribution Lists

# ————————————————————————–

Write-Host “Creating Cloud copies of each AD Synced Distribution List” -ForegroundColor Green

$Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty PrimarySmtpAddress

# Create the cloud versions

If ($Identities) {

    foreach ($group in $identities) {

    If (((Get-DistributionGroup $group -Resultsize Unlimited -ErrorAction ‘SilentlyContinue’).IsValid) -eq $true) {

        $OldDG = Get-DistributionGroup $group

        [System.IO.Path]::GetInvalidFileNameChars() | ForEach {$Group = $Group.Replace($_,’_’)}

        $OldName = [string]$OldDG.Name

        $OldDisplayName = [string]$OldDG.DisplayName

        $OldPrimarySmtpAddress = [string]$OldDG.PrimarySmtpAddress

        $OldAlias = [string]$OldDG.Alias

           

            if ((![string]$OldDG.managedby) -or ([string]$OldDG.managedby -eq “Organization Management”)) {

                [string]$OldDG.managedby=$ManagedByDefault

                }

           

        $OldMembers = (Get-DistributionGroupMember $OldDG.PrimarySmtpAddress).primarysmtpaddress “EmailAddress” > “$ExportDirectory\$OldName.csv”

        $OldDG.EmailAddresses >> “$ExportDirectory\$OldName.csv”

        “x500:”+$OldDG.LegacyExchangeDN >> “$ExportDirectory\$OldName.csv”

        Write-Host ”  Creating Group: Cloud-$OldDisplayName” -ForegroundColor Green

        New-DistributionGroup `

            -Name “Cloud-$OldName” `

            -Alias “Cloud-$OldAlias” `

            -DisplayName “Cloud-$OldDisplayName” `

            -ManagedBy $OldDG.ManagedBy `

            -Members $OldMembers `

            -PrimarySmtpAddress “Cloud-$OldPrimarySmtpAddress” | Out-Null

        Sleep -Seconds 3

        Write-Host ”  Setting Values For: Cloud-$OldDisplayName” -ForegroundColor Green

        Set-DistributionGroup `

            -Identity “Cloud-$OldPrimarySmtpAddress” `

            -AcceptMessagesOnlyFromSendersOrMembers $OldDG.AcceptMessagesOnlyFromSendersOrMembers `

            -RejectMessagesFromSendersOrMembers $OldDG.RejectMessagesFromSendersOrMembers `

        Set-DistributionGroup `

            -Identity “Cloud-$OldPrimarySmtpAddress” `

            -AcceptMessagesOnlyFrom $OldDG.AcceptMessagesOnlyFrom `

            -AcceptMessagesOnlyFromDLMembers $OldDG.AcceptMessagesOnlyFromDLMembers `

            -BypassModerationFromSendersOrMembers $OldDG.BypassModerationFromSendersOrMembers `

            -BypassNestedModerationEnabled $OldDG.BypassNestedModerationEnabled `

            -CustomAttribute1 $OldDG.CustomAttribute1 `

            -CustomAttribute2 $OldDG.CustomAttribute2 `

            -CustomAttribute3 $OldDG.CustomAttribute3 `

            -CustomAttribute4 $OldDG.CustomAttribute4 `

            -CustomAttribute5 $OldDG.CustomAttribute5 `

            -CustomAttribute6 $OldDG.CustomAttribute6 `

            -CustomAttribute7 $OldDG.CustomAttribute7 `

            -CustomAttribute8 $OldDG.CustomAttribute8 `

            -CustomAttribute9 $OldDG.CustomAttribute9 `

            -CustomAttribute10 $OldDG.CustomAttribute10 `

            -CustomAttribute11 $OldDG.CustomAttribute11 `

            -CustomAttribute12 $OldDG.CustomAttribute12 `

            -CustomAttribute13 $OldDG.CustomAttribute13 `

            -CustomAttribute14 $OldDG.CustomAttribute14 `

            -CustomAttribute15 $OldDG.CustomAttribute15 `

            -ExtensionCustomAttribute1 $OldDG.ExtensionCustomAttribute1 `

            -ExtensionCustomAttribute2 $OldDG.ExtensionCustomAttribute2 `

            -ExtensionCustomAttribute3 $OldDG.ExtensionCustomAttribute3 `

            -ExtensionCustomAttribute4 $OldDG.ExtensionCustomAttribute4 `

            -ExtensionCustomAttribute5 $OldDG.ExtensionCustomAttribute5 `

            -GrantSendOnBehalfTo $OldDG.GrantSendOnBehalfTo `

            -HiddenFromAddressListsEnabled $True `

            -MailTip $OldDG.MailTip `

            -MailTipTranslations $OldDG.MailTipTranslations `

            -MemberDepartRestriction $OldDG.MemberDepartRestriction `

            -MemberJoinRestriction $OldDG.MemberJoinRestriction `

            -ModeratedBy $OldDG.ModeratedBy `

            -ModerationEnabled $OldDG.ModerationEnabled `

            -RejectMessagesFrom $OldDG.RejectMessagesFrom `

            -RejectMessagesFromDLMembers $OldDG.RejectMessagesFromDLMembers `

            -ReportToManagerEnabled $OldDG.ReportToManagerEnabled `

            -ReportToOriginatorEnabled $OldDG.ReportToOriginatorEnabled `

            -RequireSenderAuthenticationEnabled $OldDG.RequireSenderAuthenticationEnabled `

            -SendModerationNotifications $OldDG.SendModerationNotifications `

            -SendOofMessageToOriginatorEnabled $OldDG.SendOofMessageToOriginatorEnabled `

            -BypassSecurityGroupManagerCheck

        sleep 3

    }                

    Else {

        Write-Host ”  ERROR: The distribution group ‘$Group’ was not found” -ForegroundColor Red

        Write-Host

    }

}

}

# ————————————————————————–

# Delete all the Distribution Groups in Active Directory

# ————————————————————————–

Write-Host “All Distribution Lists have been replicated in the Cloud with Cloud_ as a prefix” -ForegroundColor Green

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-host “If you encountered any errors during the creation of the Cloud-Group process you may hit CTRL + C now to kill the process.” -ForegroundColor Red -BackgroundColor Black

Write-host “If you kill the process now to fix any issues you should remove the Cloud-Group objects from Azure AD and start fresh.” -ForegroundColor Red -BackgroundColor Black

Write-host “WARNING – The Azure AZ Connect Sync Schedule is currently Suspended. You must complete the script or manually restart the Schedule.” -ForegroundColor Black -BackgroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-host “Press Enter to delete the migrated Distribution Lists from Active Directory” -ForegroundColor Cyan

pause

If (test-path ($WorkingDirectory + “DG_Details_Backup.csv”)) {

    $Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty Identity

    foreach ($group in $identities) {

        Remove-ADGroup -identity “$group” -confirm:$false

        sleep 2

        }

}

Write-Host “All Distribution Lists have been removed from Active Directory” -ForegroundColor Green

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

sleep 15

Pause

# ————————————————————————–

# Initiate a Delta Sync with Azure AD Connect and set a timer of 5 minutes

# ————————————————————————–

Write-Host “Synchronizing Changes with Azure AD Connect.  Please allow 5 minutes for process to complete.  You will be prompted when to continue.” -ForegroundColor Green

Start-AdSyncSyncCycle -PolicyType Delta

Write-Host “PLEASE BE PATIENT – Confirm the Distribution Lists have been removed from Office 365 Azure AD before continuing” -ForegroundColor Green

sleep 300

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Pause

# ————————————————————————–

# Complete the process by renaming the Cloud copies to the original names

# ————————————————————————–

Write-Host “Updating the placeholder Distribution Lists to replace the original AD synchronized Distribution Lists” -ForegroundColor Green

If (test-path $ExportDirectory) {

    $Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty Identity

    foreach ($group in $identities) {

        $TempDG = Get-DistributionGroup “Cloud-$Group”

        $TempPrimarySmtpAddress = $TempDG.PrimarySmtpAddress

        [System.IO.Path]::GetInvalidFileNameChars() | ForEach {$Group = $Group.Replace($_,’_’)}

        $OldAddresses = @(Import-Csv “$ExportDirectory\$Group.csv”)

        $NewAddresses = $OldAddresses | ForEach {$_.EmailAddress.Replace(“X500″,”x500”)}

        $NewDGName = $TempDG.Name.Replace(“Cloud-“,””)

        $NewDGDisplayName = $TempDG.DisplayName.Replace(“Cloud-“,””)

        $NewDGAlias = $TempDG.Alias.Replace(“Cloud-“,””)

        $NewPrimarySmtpAddress = ($NewAddresses | Where {$_ -clike “SMTP:*”}).Replace(“SMTP:”,””)

    Write-Host “Converting Cloud-$Group to $Group”

        Set-DistributionGroup `

            -Identity $TempDG.Name `

            -Name $NewDGName `

            -Alias $NewDGAlias `

            -DisplayName $NewDGDisplayName `

            -PrimarySmtpAddress $NewPrimarySmtpAddress `

            -HiddenFromAddressListsEnabled $False `

            -BypassSecurityGroupManagerCheck

        Set-DistributionGroup `

            -Identity $NewDGName `

            -EmailAddresses @{Add=$NewAddresses} `

            -BypassSecurityGroupManagerCheck

        Set-DistributionGroup `

            -Identity $NewDGName `

            -EmailAddresses @{Remove=$TempPrimarySmtpAddress} `

            -BypassSecurityGroupManagerCheck

    sleep 3

    }

    }

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

# Re-Enable AD Sync Schedule

Set-ADSyncScheduler -SyncCycleEnabled $true

Write-Host “The conversion process happens in Exchange and can take a while to reflect in Azure AD”

Write-Host “Check to make sure that Azure AD is updated and now showing all of the Distribution Lists are converted to Cloud objects”

Pause

The post Office 365 – Migrating Distribution Groups appeared first on Wiredwolf Canada.

Basic creation is simple – you can do that right from EAC and select which type of recipients in the organization should be included.  

More complex options exist but are accomplished with PowerShell.  For instance, you want to create a distribution list that includes all Exchange Mailbox users, but you don’t want to include Shared Mailboxes, Equipment or Resource Mailboxes, or any users with attributes that match.  

If you want to use custom attributes where you have AAD Connect there’s a bit more you need to do.  I’ve document that here: https://catastrophe.wiredwolf.com/azure-ad-connect-and-custom-attributes/

This is where it gets a bit tricky.  You can’t mix operators and stay sane, so it’s important to know how to format the command with not double not nor negatives (joke).

Creating a List:

New-dynamicdistributiongroup -name “DGNAME” `
-recipientfilter {((RecipientType -eq ‘UserMailbox’) `
-and (CustomAttribute1 -ne ‘NoMember‘) `
-and (-not(RecipientTypeDetailsValue -eq ‘SharedMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘GuestMailUser’)) `
-and (-not(Name -like ‘SystemMailbox{*’)) `
-and (-not(Name -like ‘CAS_{*’)) `
-and (-not(Company -eq ‘Acme‘)) `
-and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘AuxAuditLogMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘SupervisoryReviewPolicyMailbox’)))} `
-managedby “admin@yourdomain.com” `
-DisplayName “Dynamic Distribution Group Name” `
-RequireSenderAuthenticationEnabled $false `
-MemberDepartRestriction closed `
-MemberJoinRestriction closed

I’ve added a couple of options as an example of how far you can go with RecipientType and RecipientTypeDetails. If synchronized with an on-premises AD you can easily add attributes to the account, such as Company, or CustomAttribute1, at which point you can use these attributes to further hone the scope of your Dynamic Distribution List.

If you’ve created the dynamic distribution list already you can always edit it:

replace new-dynamicdistributiongroup -Name “DGNAME” with set-dynamicdistributiongroup -identity “DGNAME” 

Getting details from a single list – export to CSV

Get-Recipient -RecipientPreviewFilter (get-dynamicdistributiongroup DGNAME).RecipientFilter -OrganizationalUnit $group.RecipientContainer | select Name, DisplayName, PrimarySMTPAddress, RecipientType*, WindowsLiveID | export-csv “C:\CSV-PATH\DynDG-DGNAME.CSV” -NoTypeInformation

The post Dynamic Distribution Lists appeared first on Wiredwolf Canada.

If you have Office 365 and you’re actively using Exchange online then with just a few steps you can secure your mail properly.

Set up SPF

SPF is Sender Policy Framework and it basically tells the Internet where email from your domain is legitimately sent from.  When a receiving MTA does a check it sees the IP your email originated from then compares that to the SPF record in your DNS Zone.  If the IP or FQDN or MX doesn’t match – your mail could be blocked. 

Setting up SPF is simple and Microsoft gives you what you need right in the tenant.

• Log in to your Tenant as a Global Administrator
• Open Settings – Domains
• Select your primary domain (the one you mail from)
• Click on DNS
• Copy/paste the TXT record for SPF to Notepad

Note – if you have an email sender on your domain that is not sending through Office 365 you need to update the record to reflect that source.

Typical SPF record:   “v=spf1 include:spf.protection.outlook.com -all”

Here’s an SPF where you’ve added another source location for email:  “v=spf1 ip4:208.191.17.213 include:spf.protection.outlook.com -all” where 208.191.17.213 is the public IP of your office where you have a photocopier that sends email

Set up DKIM

DKIM is a bit harder to understand.  Domain Keys Identified Mail is a domain-level digital signature authentication framework that basically validates the DNS source against a signature from the MTA to validate the authenticity of the mail.  Primarily this is to prevent spoofing, where an outside source sends mail through the MTA (Message Transfer Agent) designed to look like it came from your domain.  DKIM adds headers to every outbound email that are checked against the DNS servers for your domain to validate the source which can be checked against the recipient MTA.

In this way both the MTA is validating against SPF and DKIM to verify the authenticity of the source of the email.  By the way, both are required to set up DMARC which we’ll get to in a bit.

Setting up DKIM is actually fairly simple.

Let’s say the domain registered in your MS Tenant is gotmilk.ca.

Crack open your PowerShell and connect to Exchange Online

connect-exchangeonline

Run a simple command to pull the DKIM records you’ll need:

get-dkimsigningconfig -identity gotmilk.ca | select domain,selector*CNAME

You’ll get a result that looks like this:

Domain Selector1CNAME Selector2CNAME
—— ————– ————–
gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

Copy/Paste the results to the Notepad document where you put your SPF record

Update DNS

Now it’s time to update your DNS Zone records.  We’ll continue to use gotmilk.ca for our examples. Go to your DNS server and create the following records:

@ (domain root) TXT  “v=spf1 include:spf.protection.outlook.com -all”

selector1._domainkey.gotmilk.ca CNAME gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

selector2._domainkey.gotmilk.ca CNAME selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

While you’re there create the DMARC record

_dmarc.gotmilk.ca TXT “v=DMARC1; pct=100; p=quarantine”

Office 365

Time to complete the setup in Office 365. 

• Log in to your Exchange Admin Center and go to protection –> DKIM
• Highlight the domain gotmilk.ca and click on Enable in the action pane on the right
  • If the two CNAME records you created above have propagated DKIM should enable successfully on the domain
  • Click on Rotate
• Open the Spam Filter and double click on the Default policy
• Open Advanced Options
• Enable two options:
  • SPF record: hard fail
  • Conditional Sender ID filtering: hard fail

That’s it! SPF, DKIM, and DMARC are now enabled and protecting your domain from general maliciousness.

DMARC has a number of additional options you can enable in the form of tags:

Declared tags

Defaulted tags

The post SPF – DKIM – DMARC appeared first on Wiredwolf Canada.

There are a series of steps that must be taken to ensure mail flow:

1. If using Azure AD Connect and filtering by OU or Security Group – make sure all mailbox users AD accounts are synchronized to Azure AD/Office 365
   1. Add all Mail Users
      1. In AD this can be easily accomplished with a simple Powershell script:
         

         Get-ADUser -Filter ‘Enabled -eq $true -and Mail -like “*@*”‘ | ForEach-Object {Add-ADGroupMember -Identity ‘Office365Users’ -Members $_ }

         Where “Office365Users” is your security group

   2. Add all Contacts
   3. Add all Distribution Lists
   4. Add all Mail-Enabled Security Groups

For mail from from Office 365 to Exchange On-Premises (Performed in Office 365 Exchange Admin Center):

1. Create an Internal Relay to On-Prem Exchange connector (in EAC)

For mail to Office 365 from Exchange On-Premises (Performed in On-Premises Exchange Server):

1. Create a tenant.mail.onmicrosoft.com in Accepted Domains and set to Internal Relay
2. Create an “O365 Relay” Send Connector
   1. FQDN of the connector (mail.domain.com – the FQDN public name of the On-Premises Exchange server)
   2. Address Scope – tenant.mail.onmicrosoft.com
   3. Smart Host – the MX provided by Microsoft Office 365 Domains DNS configuration (I.E. domain-com.mail.protection.outlook.com)
   4. Source Server: The On-Premises Exchange server

Make sure to check any firewall rules that restrict WAN to LAN to port 25 to specific addresses.  Use this list https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges to set up your rules to lock down unauthorized access to Port 25 inbound.

The post Office 365 Hybrid to On Premises Exchange – Mail Flow How-To appeared first on Wiredwolf Canada.

Here’s how it’s done:

• Create your new AD account
  • Set the Shared Mailbox address as the Primary Address (AD User Profile – General Tab – Email Address)
• Create a user mailbox in Exchange
• Add the user as a Delegate with Full Access and Send As rights to the Shared Mailbox
• Now sign in to a PC with the new user account and set up Outlook

Outlook will authenticate using the user account, but the mailbox that is assigned in Outlook will be the Shared Mailbox.  This now becomes the primary mailbox for the user, and this process can be repeated for each and every delegate, meaning you can have multiple people using the same mailbox as their primary mailbox.

Please note – if you have already set up the Outlook profile before setting the Shared Mailbox as the Primary Account in Active Directory, you will need to wipe the Outlook profile and create a new one.

Once completed go back in to Exchange, open the user’s mailbox, and hide from address lists.

This trick is very handy where you have a group of people who share the same job, and are all responsible for responding to email sent to that account.  This method allows you to set up individual users for domain account accountability, while sharing the same mailbox without worrying about where Sent Items are stored, or which address appeared in the From: field.

The post Setting Shared Mailbox as Primary Mailbox appeared first on Wiredwolf Canada.

One issue I’ve had is when creating a new migration batch the mailbox I want to migrate is not listed.

The issue seems to be with Azure AD Connect synchronization and the on-premises Active Directory.  If the account/user/mailbox has issues the replication to Azure AD gets horribly malformed.

Step 1 – remove the user from MS Online

Open PowerShell (elevated privileges) and connect to Msol-Services

 Install-Module MSOnline

Connect-MsolService -Credential $Credential

Provide the tenant Global Admin credentials

At this point you might as well also load up AzureAD

Install-Module AzureAD -force

Set-ExecutionPolicy RemoteSigned

$Session = NewPSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

$Import-PSSession $Session

At this point your powershell has two sessions – one for AzureAD and one for MSOnline Services (Exchange Online)

The post Office 365 Migration Headaches appeared first on Wiredwolf Canada.

When the MSOnline license is applied for the mail user a mailbox is created.  If the user mailbox was not created in Exchange first, none of the mail attributes will synchronize and Exchange Online won’t know where to correctly route mail for the user.

Step 1: Create User Account in AD
Step 2: Create Mailbox in On-Premises Exchange
Step 3: After AD Sync has completed after new user account was created apply Microsoft Office 365 License
Step 4: Migrate Mailbox from On-Premises Exchange to Office 365 Exchange Online

Should you end up in a situation where this was done incorrectly, the only option is to use PowerShell to remove the Office 365 user account.

1. Ensure local Exchange mailbox has been created for the user
2. Connect to Office 365 tenant using Azure Active Directory Module for Windows PowerShell
3. Remove the user from Office 365 Tenant
4. Remove the user from Office 365 Tenant Recycle Bin
5. Manually push a sync
6. Apply Microsoft Office 365 License to user account

Connect-MsolService

Remove-MsolUser -UserPrincipalName user.name@example.com

Remove-MsolUser -UserPrincipalName user.name@example.com -RemoveFromRecycleBin -Force

Start-AdSyncSyncCycle -PolicyType Delta

Monitor the Exchange Online Recipients to ensure no new mailbox is created for the user after the Delta sync has completed.  If no mailbox is created, the user will appear under the Contacts as a Mail User and remain there until the migration of the mailbox to Office 365 is completed.

The post Creating New Users During Hybrid Migration appeared first on Wiredwolf Canada.

Fearing this would cause a problem I tried to batch-convert the mailboxes back to on-premises Exchange.  This failed. Instead of looking for a solution why the wizard failed, I decided to look for a Powershell solution.

It turns out it’s rather easy to do.  You already have the Hybrid configuration in place so the endpoints already know about one another.  Moving mailboxes around in PowerShell is the easiest solution.

Prerequisites:

• Domain Admin credentials
• Office 365 Global Admin credentials
• Database name of On-Premises Exchange

Open a PowerShell instance “as administrator” and execute these commands:

• Set-ExecutionPolicy RemoteSigned

• $UserCredential = Get-Credential

• $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.ofice365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

• Import-PSSession $Session -DisableNameChecking

• $opcred = get-credential domain\domainadmin

• Get-mailbox -identity user@domain.com | New-MoveRequest -OutBound -RemoteTargetDatabase ‘ON-PREM-EXCHANGE-DB’ -RemoteHostName ‘mail.domain.com’ -RemoteCredential $opcred -TargetDeliveryDomain ‘domain.com’

You can check in the status of your mailbox move:

• Get-MoveRequest

This doesn’t really tell you a whole lot.  It shows the existence of a request, but it doesn’t give you a real status.  A better way is:

• Get-MoveRequest | Get-MoveRequestStatistics

This shows you the stage of the request, the status of the request, the size of the mailbox being moved, and a percentage of progress. 

You can queue up as many of these as you like and monitor the progress of all of them using these commands.  

When you’re done you should remove the requests that have been completed or failed:

• Get-MoveRequest | where {$_.status -eq “Completed”| Remove-MoveRequest

• Get-MoveRequest | where {$_.status -eq “Failed”| Remove-MoveRequest

The post From Office 365 to On-Premises Exchange appeared first on Wiredwolf Canada.

I found where a number of people have written complicated scripts that invariably (for me anyway) were fraught with errors and unrecognized syntax.

I found a simple solution and a new feature that I wasn’t aware of:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Out-GridView

This is a simple and elegant way to find where any mailbox has a delegate.  Also, the output is in a simple “Grid View” (feature I didn’t know about until now) that easily shows:

Identity: (The account delegated out)
User:  (The account that has delegate access)
AccessRights: (The level of access)
IsInherited: (if False then was manually applied)
Deny: (self explanitory – was not delegated with a Deny – don’t really see the point of this)

Exchange 2010 doesn’t seem to be capable of Grid View so if you want a user readable format output to a CSV:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne “NT AUTHORITY\SELF” -and $_.IsInherited -eq $false} | Export-Csv c:\mailbox-permissions.csv

The post Finding Delegates in Exchange 2010/2013 appeared first on Wiredwolf Canada.

1. Authenticated SMTP
2. Anonymous SMTP

Given that the LAN of most networks is pretty secure we tend towards Anonymous SMTP.  Saves wear and tear when passwords are reset and it’s unlikely that a compromised system is going to take advantage of the user domain connection back to Exchange Online to send spam.

Set the copier SMTP to:   userdomain.mail.protection.outlook.com
Set the copier SMTP port to:  25

In Office 365 -> Admin -> Exchange -> Mail Flow -> Connectors

Set up a static IP connection to listen for anonymous relay.

The post Office 365 Exchange – Relay Connectors appeared first on Wiredwolf Canada.