Friday, 17 April 2015

Setting Office 365 User Passwords to Never Expire

The default policy for Office 365 user accounts is to automatically expire their passwords after 90 days. Some of our users experienced this today and the most annoying thing about it was that they were not warned beforehand about it. They were simply locked out their account until they changed it there and then; unlike the Windows OS counterpart which gives you a comfortable 15 day warning before forcing you to change your password.
Anyway, this article will tell you how to set the password expiry from 90 days to never.
Office 365 already enforces a strong password policy BUT I do not recommend you change this setting if your users often use public terminals or are prone to writing their passwords on sticky notes and keeping them under their keyboards :)

  1. First you need to download the AdministrationConfig.msi from Microsoft. This is not the same as PowerShell. The MSO config shell is used mainly for administrative purposes. You can download it here.
  2. Enter the commands below:Import-Module MSOnline
    $Creds = Get-Credential
    Connect-MsolService –Credential $Creds
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Get-MSOLUser | Set-MSOLUser –PasswordNeverExpires $true
The last command is the one which sets the ‘PasswordNeverExpires’ attribute to true for all your users.
Posted by at No comments:

Grant and Revoke Access to Mailboxes – Office 365

There may be times where you may need to grant an IT administrator or other employees access to another user’s mailbox.
Below I will demonstrate how to:
  • Grant an Admin access to a single mailbox
  • Grant an Admin access to all mailboxes
  • Revoke the above permissions (recommended cause of action after the Administrator has finished his/her tasks)

  1. First make sure you have the remote signed execution policy set to true. You can do this by running PowerShell in admin mode and running: Set-ExecutionPolicy RemoteSigned
  2. Next, run the following to authenticate your self and import PowerShell commands to your local session:
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session

Grant an Admin access to a single mailbox

  • Add-MailboxPermission user@domain.com -User admin@domain.com -AccessRights FullAccess -InheritanceType All

Grant an Admin access to all mailboxes

  • Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User admin@domain.com -AccessRights fullaccess -InheritanceType all

Revoke the above permissions

  • If you want to revoke permissions after granting them, simply replace the ‘Add-MailboxPermission‘ with ‘Remove-MailboxPermission‘ followed by the original command you entered to grant the permissions. For example, to grant admin@example.com full access to user@example.com, you would enter the command:
    Add-MailboxPermission user@example.com -User admin@example.com -AccessRights FullAccess -InheritanceType All
  • To revoke admin@example.com from viewing user@example.com, you would enter the command:
    Remove-MailboxPermission user@example.com -User admin@example.com -AccessRights FullAccess -InheritanceType All
Update: There is a switch you can use in conjunction with the above commands which will hide the user mailboxe from appearing in the mailbox-tree panel in Outlook (on the left side).

-AutoMapping $false
Posted by at No comments:

Thursday, 16 April 2015

Office 365- Set a Room Mailbox to Show Details of a Meeting in its Calendar


Set a Room Mailbox to Show Details of a Meeting in its Calendar

You may notice that meetings with a ‘Room’ mailbox will by default only show a “Busy” status.
Many, including the organisation I work for, wish to have (at the very minimum) the following displayed in the Room’s calendar:
  • Organiser of the meeting, and
  • The subject of the meeting
Below I will demonstrate how to set the permissions so that all meetings (except those explicitly marked as ‘Private’) publicise the above details to all who view its calendar.

  1. First make sure you have the remote signed execution policy set to true. You can do this by running PowerShell in admin mode and running: Set-ExecutionPolicy RemoteSigned
  2. Next, run the following to authenticate your self and import PowerShell commands to your local session:
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session
Set the Room calendar to show ‘limited details’ by default
We will do this using the Set-MailboxFolderPermission command. Click the link to see the full list of parameters you can pass in to the command. We will be using ‘limited details’ for the AccessRights variable.
Set-MailboxFolderPermission -AccessRights LimitedDetails -Identity Room:\calendar -User default
Set the Room calendar to show the ‘Organiser’ and ‘Subject’ of the meeting
We will do this using the Set-CalendarProcessing command. Click the link to see the full list of parameters you can pass in to the command.
Set-CalendarProcessing -Identity testroom -AddOrganizerToSubject $true -DeleteComments $false -DeleteSubject $false


Else you can take full take full permissions on the meeting room mail box and share the calendar

Set-ExecutionPolicy RemoteSigned

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -
AllowRedirection

Import-PSSession $Session

Add-MailboxPermission -Identity meeringroomname@domain.com -User yourusername@domain.com -AccessRights Fullaccess -InheritanceType All


Remove-PSSession $Session

Logon to your OWA
Click your name in the upper right drop down open other mailbox
Open Room Mailbox
Share calendar from OWA as other user under calendar share
Make everyone Reviewer

Else you can perform this task in powershell aslo

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Set-CalendarProcessing -Identity MeetingRoom@domain.com -AddOrganizerToSubject $true -DeleteComments $false -DeleteSubject $false

Add-MailboxPermission -Identity MeetingRoom@domain.com:\calendar -User username -AccessRights reviewer

In the last command you can replace the username with distribution list group(security group) name if you want to set the permissions to multiple users.
Posted by at No comments:

O365- DirSync Configuration

DirSync Configuration

For DirSync, the default rules will continue to try and sync the on-premises UPN to Azure Active Directory and if the UPN suffix is not valid, the user will be provisioned with a “.onmicrosoft.com” suffix. The configuration change below allows you to modify DirSync such that the on-premises “mail” attribute is used in Azure Active Directory.
DirSync can be modified with the following process:
  1. Open “miisclient.exe” on the DirSync server (Located in “C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell”)
  2. Select the “Management Agents” tab
  3. Right-click the “Active Directory Connector” and select “Properties”
  4. Select “Configure Attribute Flow”
  5. Expand “Object Type: user” and scroll until you find the “Data Source Attribute” of “<dn>,sAMAccountName,userPrincipalName”
  6. Change the “Mapping Type” from “Advanced” to “Direct”
  7. Select “mail” as the “Data source attribute” and confirm that the “Metaverse attribute” is set to “userPrincipalName”
  8. Click “Edit” and then “OK” to save the changes




Considerations Post-Sync

If you have previously run a synchronization job with DirSync, you may run into one of the following scenarios:
  • If the current UPN for the user is a federated domain, DirSync will not change the user’s UPN in Azure Active Directory
  • If the user has a license assigned, DirSync will not change the user’s UPN in Azure Active Directory
In the above situations, you will need to update the user’s UPN in Azure Active Directory using the process documented by my peer Erik Enger: Changing UPN for Office 365 account between two SSO domains
Posted by at 3 comments:
Subscribe to: Comments (Atom)