• Users can no longer access the management of a Distribution Group in Outlook
• Synchronized Distribution Groups in Office 365 cannot be modified in Office 365 – as a synchronized object you must update in Active Directory
• Adding external contacts to a synchronized Distribution Group becomes difficult as you cannot synchronize contacts with Azure AD Connect

The solution is relatively simple – convert all Distribution Groups to Cloud objects.

This script was designed to do exactly that.

<#

#########################################################################################

##

## Name:        DG_Cloud.PS1

##

## Version:     1.0

##

## Description: $ Installs required components for Exchange Online Powershell Management

##              $ Creates a “Working” folder for Sea to Sky (C:\STS) for backups.

##              $ Creates an “Exports” folder for the temp files needed to migrate the

##              Distribution Lists.

##              $ Backs up the Distribution List Names and Attributes to DG_Details_Backup.csv

##              $ Backs up the Distribution List Members to DG_Members_Backup.csv

##              $ Capable of running mulitple times and retaining existing backups – creates

##              new backups each time it’s run if any new groups are detected

##              $ Selectively Creates a copy of each Distribution Group called Cloud_$Group

##              that are specifically Distribution Groups and not Mail-Enabled Security

##              groups.

##              $ Deletes the selected Distribtuion Groups from Active Directory

##              $ Initiates an Azure AD Connect to remove the AD objects from Cloud Environment

##              $ Forces wait period of 5 minutes to allow Azure AD to synchronize with Exchange

##              $ Completes process by renaming Cloud_$Group back to original name

##

## Usage:       Execute script in PowerShell with elevated privileges

##

## Author: Jason Zondag

##

## Disclaimer:  Has not been tried in every conceivable environment – always check the results

##              and fall back on the backups created to recreate the Distribution Groups if

##              necessary

##

#########################################################################################

###### ALTERNATIVE CODE FOR MFA LOGIN TO OFFICE 365  ####################################

#Connect & Login to ExchangeOnline (MFA)

$getsessions = Get-PSSession | Select-Object -Property State, Name

$isconnected = (@($getsessions) -like ‘@{State=Opened; Name=ExchangeOnlineInternalSession*’).Count -gt 0

If ($isconnected -ne “True”) {

Connect-ExchangeOnline

}

#########################################################################################

#>

clear

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “!!!!!IMPORTANT!!!!!!” -ForeGroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “!!!!!IMPORTANT!!!!!!” -ForeGroundColor Red

Write-Host “YOU MUST RUN THIS SCRIPT FROM THE DOMAIN CONTROLLER THAT IS RUNNING AZURE AD CONNECT” -ForeGroundColor Red

sleep 5

Write-Host “IF YOU ARE NOT PLEASE USE CTRL + C TO ESCAPE AND RUN FROM THE APPROPRIATE DOMAIN CONTROLLER” -ForeGroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “It’s also important to note that this only affects Distribution Lists and not Mail-Enabled” -ForeGroundColor Green

Write-Host “Security Groups.  Mail-Enabled Security Groups must be handled differently.” -ForeGroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

sleep 15

Pause

Write-Host “Connecting to Exchange Online – installing all required PowerShell Modules and initiaing a connection” -ForegroundColor Green

# ————————————————————————–

# Load PowerShell Modules

# ————————————————————————–

Set-ExecutionPolicy RemoteSigned -Force

Import-Module ActiveDirectory

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-Module -Name ExchangeOnlineManagement -Force

Import-Module ExchangeOnlineManagement

#Connect & Login to ExchangeOnline (MFA)

$getsession = get-pssession | select-object -Property State | select -expandproperty state

If ($getsession -ne “Opened”) {

Connect-ExchangeOnline

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host

Write-host

Write-Host “______________________________________________________________________________________________” -ForegroundColor Cyan

Write-Host “Synchronized Distribution Groups with no ManagedBy settings will be defaulted to Organization” -ForeGroundColor Yellow

Write-Host “Management. This value cannot be translated.” -ForeGroundColor Yellow

Write-host

Write-Host “You must set a default account value to replace Organization Management.” -ForeGroundColor Green

Write-Host “The default account must be a valid licensed address for this tenant.  IE. seatosky@domain.com ” -ForeGroundColor Green

$ManagedByDefault = Read-host “Enter the email address of a valid licensed account for this tenant:”

Write-Host “______________________________________________________________________________________________” -ForegroundColor Cyan

# Disable Azure AD Connect from initiating a sync while this process is underway

Set-ADSyncScheduler -SyncCycleEnabled $false

Write-host “Azure AD Connect Schedule Sync has been disabled temporarily.”

# ————————————————————————–

# Create Working and Export folders

# ————————————————————————–

Write-Host “Creating a Working Directory C:\DG-Migrate and an Exports Directory within the Working Directory” -ForegroundColor Green

# Create a working directory

$orginfo = Get-OrganizationConfig | select -expandproperty Name

$WorkingDirectory = “C:\DG-Migrate\” + $orginfo + “\”

$ExportDirectory = $WorkingDirectory + “ExportedAddresses\”

If(!(Test-Path -Path $WorkingDirectory )){

# if WorkingDirectory doesn’t exist neither does ExportDirectory – create them both

            Write-Host ”  Creating Directory: $WorkingDirectory”

            New-Item -ItemType directory -Path $WorkingDirectory | Out-Null

            Write-Host ”  Creating Directory: $ExportDirectory”

            New-Item -ItemType directory -Path $ExportDirectory | Out-Null

        } else {

# WorkingDirectory may exist but that doesn’t mean ExportDirectory does – create if it doesn’t exist

If(!(Test-Path -Path $ExportDirectory )){

            Write-Host ”  Creating Directory: $ExportDirectory”

            New-Item -ItemType directory -Path $ExportDirectory | Out-Null

}

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “Creating a backup of all AD Synchronized Distribution Lists and placing into the Working Directory” -ForegroundColor Green

# ————————————————————————–

# Export all the Distribution Group Information to a separate file

# ————————————————————————–

$check = (get-distributiongroup | Where {($_.IsDirSynced -eq $true) -AND ($_.RecipientType -eq “MailUniversalDistributionGroup”)})

if ((($check | Measure-Object).count) -ne 0) {

# Not 0 so we found some Distribution Groups to migrate

# We don’t want to overwrite an existing backup set – rename any existing files with a time stamp

    if (Test-Path ($WorkingDirectory + “DG_Details_Backup.csv”)) {

        $filename = ($WorkingDirectory + “DG_Details_Backup.csv”)

        $fileObj = get-item $filename

        $DateStamp = get-date -uformat “%Y-%m-%d@%H-%M-%S”

        $extOnly = $fileObj.extension

        if ($extOnly.length -eq 0) {

            $nameOnly = $fileObj.Name

            rename-item “$fileObj” “$nameOnly-$DateStamp”

            }

        else {

            $nameOnly = $fileObj.Name.Replace( $fileObj.Extension,”)

            rename-item “$fileName” “$nameOnly-$DateStamp$extOnly”

        }       }

$check | select `

    GroupType, `

    SamAccountName, `

    IsDirSynced, `

    @{label=”ManagedBy”;expression={

        ($_.managedby `

        | % { get-mailbox -identity $_ | select-object -ExpandProperty PrimarySMTPAddress } `

        | Where-Object {$_ -like “*@*”}) -join ‘;’}

        }, `

    MemberJoinRestriction, `

    MemberDepartRestriction, `

    ReportToOriginatorEnabled, `

    Description, `

    AddressListMembership, `

    Alias, `

    DisplayName, `

    PrimarySMTPAddress, `

    @{label=”EmailAddressess”;expression={

        ($_.EmailAddresses | Where-Object {$_ -like “*smtp:*” }) -join ‘;’}

        },`

    ExternalDirectoryObjectId, `

    HiddenFromAddressListsEnabled, `

    LegacyExchangeDN, `

    MaxSendSize, `

    MaxReceiveSize, `

    ModeratedBy, `

    ModerationEnabled, `

    PoliciesIncluded, `

    PoliciesExcluded, `

    EmailAddressPolicyEnabled, `

    RecipientType, `

    RecipientTypeDetials, `

    RequireSenderAuthenticationEnabled, `

    WindowsEmailAddress, `

    Identity, `

    Id, `

    Name, `

    DistinguishedName, `

    ExchangeObjectId, `

    Guid `

| Export-CSV ($WorkingDirectory + “DG_Details_Backup.csv”) -NoTypeInformation

sleep 20

    }

else {

    Write-Host “There are no appropriate Distribution Lists to migrate.  Cancelling migration.”

    Break

}

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-Host “Creating a backup of Distribution List Membership and placing in the Working Directory” -ForegroundColor Green

# ————————————————————————–

# Export all the Distribution Group Members to a separate file

# ————————————————————————–

$output = @()

$Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select Name,PrimarySmtpAddress,Managedby,GroupType,RecipientType

If ($Identities) {

Foreach($group in $Identities) {

    $Members = Get-DistributionGroupMember $group.PrimarySmtpAddress -resultsize unlimited

    if (@($Members.count) -eq 0) {

        #$managers = ($group | Select @{Name=’DistributionGroupManagers’;Expression={[string]::join(“;”, ($_.Managedby))}})

        $userObj = New-Object PSObject

        $userObj | Add-Member NoteProperty -Name “DisplayName” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Alias” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “RecipientType” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Recipient OU” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Primary SMTP address” -Value EmptyGroup

        $userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $group.Name

        $userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $group.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group Managers” -Value $managers.DistributionGroupManagers

        $userObj | Add-Member NoteProperty -Name “Distribution Group Type” -Value $group.GroupType

        $userObj | Add-Member NoteProperty -Name “Distribution Group Recipient Type” -Value $group.RecipientType

        $output+=$UserObj

        }

    else {

    Foreach($Member in $members) {

        #$managers = $group | Select @{Name=’DistributionGroupManagers’;Expression={[string]::join(“;”, ($_.Managedby))}}

        $userObj = New-Object PSObject

        $userObj | Add-Member NoteProperty -Name “DisplayName” -Value $Member.Name

        $userObj | Add-Member NoteProperty -Name “Alias” -Value $Member.Alias

        $userObj | Add-Member NoteProperty -Name “RecipientType” -Value $Member.RecipientType

        $userObj | Add-Member NoteProperty -Name “Recipient OU” -Value $Member.OrganizationalUnit

        $userObj | Add-Member NoteProperty -Name “Primary SMTP address” -Value $Member.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $group.Name

        $userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $group.PrimarySmtpAddress

        $userObj | Add-Member NoteProperty -Name “Distribution Group Managers” -Value $managers.DistributionGroupManagers

        $userObj | Add-Member NoteProperty -Name “Distribution Group Type” -Value $group.GroupType

        $userObj | Add-Member NoteProperty -Name “Distribution Group Recipient Type” -Value $group.RecipientType

        $output+=$UserObj

        }

    }

   }

   # We don’t want to overwrite an existing backup set – rename any existing files with a time stamp

    if (Test-Path ($WorkingDirectory + “DG_Members_Backup.csv”)) {

        $filename = ($WorkingDirectory + “DG_Members_Backup.csv”)

        $fileObj = get-item $filename

        $DateStamp = get-date -uformat “%Y-%m-%d@%H-%M-%S”

        $extOnly = $fileObj.extension

        if ($extOnly.length -eq 0) {

            $nameOnly = $fileObj.Name

            rename-item “$fileObj” “$nameOnly-$DateStamp”

            }

        else {

            $nameOnly = $fileObj.Name.Replace( $fileObj.Extension,”)

            rename-item “$fileName” “$nameOnly-$DateStamp$extOnly”

        }       }

    $output | Export-CSV ($WorkingDirectory + “DG_Members_Backup.csv”) -NoTypeInformation

   }

# ———————————————————————————————-

sleep 15

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

# ————————————————————————–

# Create the Cloud copies of the Distribution Lists

# ————————————————————————–

Write-Host “Creating Cloud copies of each AD Synced Distribution List” -ForegroundColor Green

$Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty PrimarySmtpAddress

# Create the cloud versions

If ($Identities) {

    foreach ($group in $identities) {

    If (((Get-DistributionGroup $group -Resultsize Unlimited -ErrorAction ‘SilentlyContinue’).IsValid) -eq $true) {

        $OldDG = Get-DistributionGroup $group

        [System.IO.Path]::GetInvalidFileNameChars() | ForEach {$Group = $Group.Replace($_,’_’)}

        $OldName = [string]$OldDG.Name

        $OldDisplayName = [string]$OldDG.DisplayName

        $OldPrimarySmtpAddress = [string]$OldDG.PrimarySmtpAddress

        $OldAlias = [string]$OldDG.Alias

           

            if ((![string]$OldDG.managedby) -or ([string]$OldDG.managedby -eq “Organization Management”)) {

                [string]$OldDG.managedby=$ManagedByDefault

                }

           

        $OldMembers = (Get-DistributionGroupMember $OldDG.PrimarySmtpAddress).primarysmtpaddress “EmailAddress” > “$ExportDirectory\$OldName.csv”

        $OldDG.EmailAddresses >> “$ExportDirectory\$OldName.csv”

        “x500:”+$OldDG.LegacyExchangeDN >> “$ExportDirectory\$OldName.csv”

        Write-Host ”  Creating Group: Cloud-$OldDisplayName” -ForegroundColor Green

        New-DistributionGroup `

            -Name “Cloud-$OldName” `

            -Alias “Cloud-$OldAlias” `

            -DisplayName “Cloud-$OldDisplayName” `

            -ManagedBy $OldDG.ManagedBy `

            -Members $OldMembers `

            -PrimarySmtpAddress “Cloud-$OldPrimarySmtpAddress” | Out-Null

        Sleep -Seconds 3

        Write-Host ”  Setting Values For: Cloud-$OldDisplayName” -ForegroundColor Green

        Set-DistributionGroup `

            -Identity “Cloud-$OldPrimarySmtpAddress” `

            -AcceptMessagesOnlyFromSendersOrMembers $OldDG.AcceptMessagesOnlyFromSendersOrMembers `

            -RejectMessagesFromSendersOrMembers $OldDG.RejectMessagesFromSendersOrMembers `

        Set-DistributionGroup `

            -Identity “Cloud-$OldPrimarySmtpAddress” `

            -AcceptMessagesOnlyFrom $OldDG.AcceptMessagesOnlyFrom `

            -AcceptMessagesOnlyFromDLMembers $OldDG.AcceptMessagesOnlyFromDLMembers `

            -BypassModerationFromSendersOrMembers $OldDG.BypassModerationFromSendersOrMembers `

            -BypassNestedModerationEnabled $OldDG.BypassNestedModerationEnabled `

            -CustomAttribute1 $OldDG.CustomAttribute1 `

            -CustomAttribute2 $OldDG.CustomAttribute2 `

            -CustomAttribute3 $OldDG.CustomAttribute3 `

            -CustomAttribute4 $OldDG.CustomAttribute4 `

            -CustomAttribute5 $OldDG.CustomAttribute5 `

            -CustomAttribute6 $OldDG.CustomAttribute6 `

            -CustomAttribute7 $OldDG.CustomAttribute7 `

            -CustomAttribute8 $OldDG.CustomAttribute8 `

            -CustomAttribute9 $OldDG.CustomAttribute9 `

            -CustomAttribute10 $OldDG.CustomAttribute10 `

            -CustomAttribute11 $OldDG.CustomAttribute11 `

            -CustomAttribute12 $OldDG.CustomAttribute12 `

            -CustomAttribute13 $OldDG.CustomAttribute13 `

            -CustomAttribute14 $OldDG.CustomAttribute14 `

            -CustomAttribute15 $OldDG.CustomAttribute15 `

            -ExtensionCustomAttribute1 $OldDG.ExtensionCustomAttribute1 `

            -ExtensionCustomAttribute2 $OldDG.ExtensionCustomAttribute2 `

            -ExtensionCustomAttribute3 $OldDG.ExtensionCustomAttribute3 `

            -ExtensionCustomAttribute4 $OldDG.ExtensionCustomAttribute4 `

            -ExtensionCustomAttribute5 $OldDG.ExtensionCustomAttribute5 `

            -GrantSendOnBehalfTo $OldDG.GrantSendOnBehalfTo `

            -HiddenFromAddressListsEnabled $True `

            -MailTip $OldDG.MailTip `

            -MailTipTranslations $OldDG.MailTipTranslations `

            -MemberDepartRestriction $OldDG.MemberDepartRestriction `

            -MemberJoinRestriction $OldDG.MemberJoinRestriction `

            -ModeratedBy $OldDG.ModeratedBy `

            -ModerationEnabled $OldDG.ModerationEnabled `

            -RejectMessagesFrom $OldDG.RejectMessagesFrom `

            -RejectMessagesFromDLMembers $OldDG.RejectMessagesFromDLMembers `

            -ReportToManagerEnabled $OldDG.ReportToManagerEnabled `

            -ReportToOriginatorEnabled $OldDG.ReportToOriginatorEnabled `

            -RequireSenderAuthenticationEnabled $OldDG.RequireSenderAuthenticationEnabled `

            -SendModerationNotifications $OldDG.SendModerationNotifications `

            -SendOofMessageToOriginatorEnabled $OldDG.SendOofMessageToOriginatorEnabled `

            -BypassSecurityGroupManagerCheck

        sleep 3

    }                

    Else {

        Write-Host ”  ERROR: The distribution group ‘$Group’ was not found” -ForegroundColor Red

        Write-Host

    }

}

}

# ————————————————————————–

# Delete all the Distribution Groups in Active Directory

# ————————————————————————–

Write-Host “All Distribution Lists have been replicated in the Cloud with Cloud_ as a prefix” -ForegroundColor Green

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-host “If you encountered any errors during the creation of the Cloud-Group process you may hit CTRL + C now to kill the process.” -ForegroundColor Red -BackgroundColor Black

Write-host “If you kill the process now to fix any issues you should remove the Cloud-Group objects from Azure AD and start fresh.” -ForegroundColor Red -BackgroundColor Black

Write-host “WARNING – The Azure AZ Connect Sync Schedule is currently Suspended. You must complete the script or manually restart the Schedule.” -ForegroundColor Black -BackgroundColor Red

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Write-host “Press Enter to delete the migrated Distribution Lists from Active Directory” -ForegroundColor Cyan

pause

If (test-path ($WorkingDirectory + “DG_Details_Backup.csv”)) {

    $Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty Identity

    foreach ($group in $identities) {

        Remove-ADGroup -identity “$group” -confirm:$false

        sleep 2

        }

}

Write-Host “All Distribution Lists have been removed from Active Directory” -ForegroundColor Green

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

sleep 15

Pause

# ————————————————————————–

# Initiate a Delta Sync with Azure AD Connect and set a timer of 5 minutes

# ————————————————————————–

Write-Host “Synchronizing Changes with Azure AD Connect.  Please allow 5 minutes for process to complete.  You will be prompted when to continue.” -ForegroundColor Green

Start-AdSyncSyncCycle -PolicyType Delta

Write-Host “PLEASE BE PATIENT – Confirm the Distribution Lists have been removed from Office 365 Azure AD before continuing” -ForegroundColor Green

sleep 300

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

Pause

# ————————————————————————–

# Complete the process by renaming the Cloud copies to the original names

# ————————————————————————–

Write-Host “Updating the placeholder Distribution Lists to replace the original AD synchronized Distribution Lists” -ForegroundColor Green

If (test-path $ExportDirectory) {

    $Identities = import-csv ($WorkingDirectory + “DG_Details_Backup.csv”) | select -expandproperty Identity

    foreach ($group in $identities) {

        $TempDG = Get-DistributionGroup “Cloud-$Group”

        $TempPrimarySmtpAddress = $TempDG.PrimarySmtpAddress

        [System.IO.Path]::GetInvalidFileNameChars() | ForEach {$Group = $Group.Replace($_,’_’)}

        $OldAddresses = @(Import-Csv “$ExportDirectory\$Group.csv”)

        $NewAddresses = $OldAddresses | ForEach {$_.EmailAddress.Replace(“X500″,”x500”)}

        $NewDGName = $TempDG.Name.Replace(“Cloud-“,””)

        $NewDGDisplayName = $TempDG.DisplayName.Replace(“Cloud-“,””)

        $NewDGAlias = $TempDG.Alias.Replace(“Cloud-“,””)

        $NewPrimarySmtpAddress = ($NewAddresses | Where {$_ -clike “SMTP:*”}).Replace(“SMTP:”,””)

    Write-Host “Converting Cloud-$Group to $Group”

        Set-DistributionGroup `

            -Identity $TempDG.Name `

            -Name $NewDGName `

            -Alias $NewDGAlias `

            -DisplayName $NewDGDisplayName `

            -PrimarySmtpAddress $NewPrimarySmtpAddress `

            -HiddenFromAddressListsEnabled $False `

            -BypassSecurityGroupManagerCheck

        Set-DistributionGroup `

            -Identity $NewDGName `

            -EmailAddresses @{Add=$NewAddresses} `

            -BypassSecurityGroupManagerCheck

        Set-DistributionGroup `

            -Identity $NewDGName `

            -EmailAddresses @{Remove=$TempPrimarySmtpAddress} `

            -BypassSecurityGroupManagerCheck

    sleep 3

    }

    }

Write-Host “Completed” -ForegroundColor Green

Write-Host “———————————————————————————————-” -ForegroundColor Cyan

# Re-Enable AD Sync Schedule

Set-ADSyncScheduler -SyncCycleEnabled $true

Write-Host “The conversion process happens in Exchange and can take a while to reflect in Azure AD”

Write-Host “Check to make sure that Azure AD is updated and now showing all of the Distribution Lists are converted to Cloud objects”

Pause

The post Office 365 – Migrating Distribution Groups appeared first on Wiredwolf Canada.

Typically I use the EmailAddress (Mail) attribute to cross-link the accounts.

Example:

Azure AD user:  Smiles J. McDuff

Azure AD email:  smiley@mydomain.com, sjmcduff@mydomain.onmicrosoft.com

In AD I then create the user –

AD User:   Smiles McDuff

SamAccountName:  sjmcduff

Set Email Address:  smiley@mydomain.com

When I do an Azure AD Connect Sync the new AD user should match to the Azure AD user and overwrite the user and attributes to that based in Active Directory.

Sometimes that doesn’t happen, such as making a typo with the email address, and instead of cross-linking the accounts between AD and AAD, a new user account is created in AAD.  Now things get tricky, because no matter how many times you delete the incorrect account in Azure AD, the next sync will just recreate it.

The solution is to capture the ObjectGUID attribute for the user in Active Directory and set that as the ImmutableID for the user in Azure.

Command:

Get-ADUser sjmcduff | select-object userPrincipalName, objectGuid

Result:

UserPrincipleName  :  sjmcduff@mywindowsdomain.com

objectGuid : b316d357-25fd-4912-9896-faf007a16289

Now convert that Guid to something we can use as an ImmutableID –

[Convert]::ToBase64String([guid]::New(“b316d357-25fd-4912-9896-faf007a16289”).ToByteArray())

Result:  

V9MWs/0lEkmYlvrwB6FiiQ==

This is our new ImmutableID value for the Azure AD user account.

connect-msolservice

Get-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” | select-object userPrincipalName, ImmutableId

Result:

UserPrincipalName : sjmcduff@mydomain.onmicrosoft.com
ImmutableId :                              [Confirm ImmutableID is blank -if not record it in your notes]

Command:

Set-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” -ImmutableId “V9MWs/0lEkmYlvrwB6FiiQ==”

Comand:

Get-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” | fl userPrincipalName,ImmutableId

Confirm ImmutableID matches

Now when you sync, the accounts should pair up properly.

The post Azure AD Connect – Fixing the Sync appeared first on Wiredwolf Canada.

The post PowerShell – Active Directory – New Email Domain appeared first on Wiredwolf Canada.

1. Open PowerShell (as Administrator is also an option)
2. Copy/Paste:   Set-ExecutionPolicy Unrestricted
   1. Execute
3. Copy/Paste:  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
   1. Execute
4. Copy/Paste:  Register-PSRepository -Default
   1. Execute
5. Copy/Paste:  Update-Module PowerShellGet -Force
   1. Execute

At this point you should be in good shape to add whatever modules it is you are trying to install from the repository. 

• Install-Module AzureAD
• Install-Module ExchangeOnlineManagement
• etc

The post PowerShell – Installing Modules appeared first on Wiredwolf Canada.

Basic creation is simple – you can do that right from EAC and select which type of recipients in the organization should be included.  

More complex options exist but are accomplished with PowerShell.  For instance, you want to create a distribution list that includes all Exchange Mailbox users, but you don’t want to include Shared Mailboxes, Equipment or Resource Mailboxes, or any users with attributes that match.  

If you want to use custom attributes where you have AAD Connect there’s a bit more you need to do.  I’ve document that here: https://catastrophe.wiredwolf.com/azure-ad-connect-and-custom-attributes/

This is where it gets a bit tricky.  You can’t mix operators and stay sane, so it’s important to know how to format the command with not double not nor negatives (joke).

Creating a List:

New-dynamicdistributiongroup -name “DGNAME” `
-recipientfilter {((RecipientType -eq ‘UserMailbox’) `
-and (CustomAttribute1 -ne ‘NoMember‘) `
-and (-not(RecipientTypeDetailsValue -eq ‘SharedMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘GuestMailUser’)) `
-and (-not(Name -like ‘SystemMailbox{*’)) `
-and (-not(Name -like ‘CAS_{*’)) `
-and (-not(Company -eq ‘Acme‘)) `
-and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘AuxAuditLogMailbox’)) `
-and (-not(RecipientTypeDetailsValue -eq ‘SupervisoryReviewPolicyMailbox’)))} `
-managedby “admin@yourdomain.com” `
-DisplayName “Dynamic Distribution Group Name” `
-RequireSenderAuthenticationEnabled $false `
-MemberDepartRestriction closed `
-MemberJoinRestriction closed

I’ve added a couple of options as an example of how far you can go with RecipientType and RecipientTypeDetails. If synchronized with an on-premises AD you can easily add attributes to the account, such as Company, or CustomAttribute1, at which point you can use these attributes to further hone the scope of your Dynamic Distribution List.

If you’ve created the dynamic distribution list already you can always edit it:

replace new-dynamicdistributiongroup -Name “DGNAME” with set-dynamicdistributiongroup -identity “DGNAME” 

Getting details from a single list – export to CSV

Get-Recipient -RecipientPreviewFilter (get-dynamicdistributiongroup DGNAME).RecipientFilter -OrganizationalUnit $group.RecipientContainer | select Name, DisplayName, PrimarySMTPAddress, RecipientType*, WindowsLiveID | export-csv “C:\CSV-PATH\DynDG-DGNAME.CSV” -NoTypeInformation

The post Dynamic Distribution Lists appeared first on Wiredwolf Canada.

That’s fine normally, because typically that’s the email address you would normally assign the user.  That is, until the account is updated with MFA registration information, at which point the default address automatically becomes the @tenant.onmicrosoft.com extension.  Then it becomes a big problem as the onmicrosoft.com domain is not typically routable.

When we uncovered this undocumented feature we realized that we were going to have to update all AD accounts where the proxyAddresses attribute field was left blank.  Except, how to search for something that isn’t there on hundreds of accounts?

I discovered through a lot of trail and error that not all operators work with all cmdlets.  Get-ADUser, for example, can handle -filter options of -eq -like -match, but cannot handle -ceq -clike or -cmatch, and has no concept at all of -notlike or -notequal.  Suddenly the search become considerably more difficult.

I know there’s going to be a lot of PowerShell experts out there who’ll look at this and say “there’s a better way” but this was the best I could come up with:

get-aduser -filter ‘enabled -eq $true’ -Properties Name,DisplayName,SamAccountName,SurName,GivenName,UserPrincipalName,proxyaddresses | `
Select-Object Name, DisplayName, SamAccountName, Surname, GivenName, UserPrincipalName, `
@{n = “proxyAddress”; e = { $_.proxyAddresses | Where-object { $_ -clike “SMTP:*” } } }

I exported the results to a CSV file, then used Excel’s Data –> Filter option to filter out all found SMTP entries, leaving only blanks, which gave me the list of accounts to fix.

I was actually hoping to also find a way to filter out all the system accounts, but was satisfied with the AD ‘enabled’ accounts.

The post PowerShell CMDLET Limitations appeared first on Wiredwolf Canada.

The post Automatic Enrollment Issues with Intune appeared first on Wiredwolf Canada.

If you have Office 365 and you’re actively using Exchange online then with just a few steps you can secure your mail properly.

Set up SPF

SPF is Sender Policy Framework and it basically tells the Internet where email from your domain is legitimately sent from.  When a receiving MTA does a check it sees the IP your email originated from then compares that to the SPF record in your DNS Zone.  If the IP or FQDN or MX doesn’t match – your mail could be blocked. 

Setting up SPF is simple and Microsoft gives you what you need right in the tenant.

• Log in to your Tenant as a Global Administrator
• Open Settings – Domains
• Select your primary domain (the one you mail from)
• Click on DNS
• Copy/paste the TXT record for SPF to Notepad

Note – if you have an email sender on your domain that is not sending through Office 365 you need to update the record to reflect that source.

Typical SPF record:   “v=spf1 include:spf.protection.outlook.com -all”

Here’s an SPF where you’ve added another source location for email:  “v=spf1 ip4:208.191.17.213 include:spf.protection.outlook.com -all” where 208.191.17.213 is the public IP of your office where you have a photocopier that sends email

Set up DKIM

DKIM is a bit harder to understand.  Domain Keys Identified Mail is a domain-level digital signature authentication framework that basically validates the DNS source against a signature from the MTA to validate the authenticity of the mail.  Primarily this is to prevent spoofing, where an outside source sends mail through the MTA (Message Transfer Agent) designed to look like it came from your domain.  DKIM adds headers to every outbound email that are checked against the DNS servers for your domain to validate the source which can be checked against the recipient MTA.

In this way both the MTA is validating against SPF and DKIM to verify the authenticity of the source of the email.  By the way, both are required to set up DMARC which we’ll get to in a bit.

Setting up DKIM is actually fairly simple.

Let’s say the domain registered in your MS Tenant is gotmilk.ca.

Crack open your PowerShell and connect to Exchange Online

connect-exchangeonline

Run a simple command to pull the DKIM records you’ll need:

get-dkimsigningconfig -identity gotmilk.ca | select domain,selector*CNAME

You’ll get a result that looks like this:

Domain Selector1CNAME Selector2CNAME
—— ————– ————–
gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

Copy/Paste the results to the Notepad document where you put your SPF record

Update DNS

Now it’s time to update your DNS Zone records.  We’ll continue to use gotmilk.ca for our examples. Go to your DNS server and create the following records:

@ (domain root) TXT  “v=spf1 include:spf.protection.outlook.com -all”

selector1._domainkey.gotmilk.ca CNAME gotmilk.ca selector1-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

selector2._domainkey.gotmilk.ca CNAME selector2-gotmilk-ca._domainkey.gotmilk.onmicrosoft.com

While you’re there create the DMARC record

_dmarc.gotmilk.ca TXT “v=DMARC1; pct=100; p=quarantine”

Office 365

Time to complete the setup in Office 365. 

• Log in to your Exchange Admin Center and go to protection –> DKIM
• Highlight the domain gotmilk.ca and click on Enable in the action pane on the right
  • If the two CNAME records you created above have propagated DKIM should enable successfully on the domain
  • Click on Rotate
• Open the Spam Filter and double click on the Default policy
• Open Advanced Options
• Enable two options:
  • SPF record: hard fail
  • Conditional Sender ID filtering: hard fail

That’s it! SPF, DKIM, and DMARC are now enabled and protecting your domain from general maliciousness.

DMARC has a number of additional options you can enable in the form of tags:

Declared tags

Defaulted tags

The post SPF – DKIM – DMARC appeared first on Wiredwolf Canada.

There are a series of steps that must be taken to ensure mail flow:

1. If using Azure AD Connect and filtering by OU or Security Group – make sure all mailbox users AD accounts are synchronized to Azure AD/Office 365
   1. Add all Mail Users
      1. In AD this can be easily accomplished with a simple Powershell script:
         

         Get-ADUser -Filter ‘Enabled -eq $true -and Mail -like “*@*”‘ | ForEach-Object {Add-ADGroupMember -Identity ‘Office365Users’ -Members $_ }

         Where “Office365Users” is your security group

   2. Add all Contacts
   3. Add all Distribution Lists
   4. Add all Mail-Enabled Security Groups

For mail from from Office 365 to Exchange On-Premises (Performed in Office 365 Exchange Admin Center):

1. Create an Internal Relay to On-Prem Exchange connector (in EAC)

For mail to Office 365 from Exchange On-Premises (Performed in On-Premises Exchange Server):

1. Create a tenant.mail.onmicrosoft.com in Accepted Domains and set to Internal Relay
2. Create an “O365 Relay” Send Connector
   1. FQDN of the connector (mail.domain.com – the FQDN public name of the On-Premises Exchange server)
   2. Address Scope – tenant.mail.onmicrosoft.com
   3. Smart Host – the MX provided by Microsoft Office 365 Domains DNS configuration (I.E. domain-com.mail.protection.outlook.com)
   4. Source Server: The On-Premises Exchange server

Make sure to check any firewall rules that restrict WAN to LAN to port 25 to specific addresses.  Use this list https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges to set up your rules to lock down unauthorized access to Port 25 inbound.

The post Office 365 Hybrid to On Premises Exchange – Mail Flow How-To appeared first on Wiredwolf Canada.

The problem was source anchors for the account was a direct link between the AD Object and the UPN in Office 365.  In AD the usernames were swapped, and TargetAddress, ProxyAddresses, etc., all updated, but when the synchronization to Office 365 happened the original tenant address (from a Hybrid Exchange Migration no doubt) was username@tenant.onmicrosoft.com, and it REFUSED to update.  It showed as an alias in the online account, but was set as primary, and could not be removed.

Here’s the process to fix this:

1. Remove the user(s) from the Synchronization and force a Delta sync
   Start-ADSyncSyncCycle -PolicyType delta
2. Recover the user from Deleted Users in Office 365 – this converts the account to Cloud status (no longer linked to AD)
3. Confirm the user is now showing up in Active Users as as a Cloud user
4. Obtain the objectGuid and userPrincipalName from AD using this command (in an elevated command window):
   ldifde -f C:\Export\export.txt -r “(Userprincipalname=*)” -l “objectGuid, userPrincipalName”
5. Locate the user account using the userPrincipalName and copy/paste the objectGuid and userPrincipalName to a new Notepad window
6. In an Elevated PowerShell window, log into the tenant
   Connect-MsolService 
7. Now replace the ImmutableId of the converted Cloud user to match the one you pulled from AD:
   Set-MsolUser -UserPrincipalName <userPrincipalName pulled from AD> -ImmutableId <objectGuid pulled from AD>
8. Once the ImmutableID is updated you should update the Cloud user
   1. In the Office 365 Admin go to Users –> Active Users –> User Name
   2. In the User account fly-out – click on Manage email aliases
   3. Remove the alias that was originally stuck and could not be removed
9. Back in AD add the user back to the synchronization and perform an Initial Sync
   Start-ADSyncSyncCycle -PolicyType Initial
10. Wait for the synchronization to occur and refresh your Office 365 Active Users screen until the user account shows as being synchronized with AD

The user will now be updated to reflect the values of Active Directory and accept future edits in Active Directory.

Outlook’s AutoDiscover should also pick up the changes and the ‘weirdness’ reported should disappear.

NOTE: One thing I did find was the initial and following delta synchronizations did not actually update the user from Cloud to AD Synchronized status.  However, making a minor modification to the account, such as adding an alias to proxyAddresses, did trigger the status change.  Once changed, I just removed the extra alias and synchronized again.

NOTE: I also discovered that it can take a little while for minor changes to show up in the Office 365 console.  It took over 5 minutes of refreshing the screen to get the offending source anchor alias I wanted to remove to even show up after the account was converted from AD to Cloud status.  Just be patient.  It will get there.  Eventually.

The post Office 365 – Username Changes in AD affecting Azure AD – Attributes Locked appeared first on Wiredwolf Canada.