Snippet to build a TLS connector in Exchange Online for a list of domains

Some organisations, in particular German ones, require encryption between your Exchange Online mail servers and their mail servers. This can be enforced by adding their domains to an outbound TLS connector in Office 365.

In my case, this had to be enforced (the default is oppertunistic). If you get a long list, you’ll want to script this with the following snippet. Remember to make sure the first line of your CSV has the header ‘domains’ 🙂


#Author: Jos Lieben
#Help: www.lieben.nu
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber -DisableNameChecking

$connector = Read-Host "Type the name you wish to give this connector"
$csv = Read-Host "Type the path to the file with TLS domains"

$domains = Import-CSV -LiteralPath $csv

$newDomains = @()
foreach($domain in $domains){
$ND = [String]$domain.domain
$ND = $ND.Trim()
$newDomains += $ND
}

try{
New-OutboundConnector -Name $connector -recipientdomains $newDomains -ConnectorType "Partner" -TlsSettings "CertificateValidation" -ErrorAction Stop
}catch{
Write-Error "Failed to modify outbound connector $connector $($Error[0])"
}

Configure TLS relay on IIS for Exchange Online / Office 365

A while ago, you may have read that Microsoft will no longer allow relaying everything by default in Exchange Online when using normal authentication starting in february  july 2017.

So I went about and set my SMTP relay in IIS to use a certificate instead, as the article explains.  This resulted in a flood of bad mail drops with the following error:

Action: failed
Status: 5.7.57
Diagnostic-Code: smtp;530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

After messing around with this for a while, I discovered the outbound port you have to use when connecting to smtp.office365.com to relay a message using anonymous TLS is port 25, NOT port 587 as we were using before to submit mail using a user account + password.

For those who want to configure a relay server on IIS to allow applications and devices that don’t support TLS, I’ll set out the steps to configure this properly: Continue reading Configure TLS relay on IIS for Exchange Online / Office 365

O365Migrator v0.9 released!

Version 0.9 of O365Migrator is now available as a free download.

What was changed?

  • Differential transfer: upload only changed/new files. (does not process renames, moves and deletes yet!)
  • Subfolder targeting: upload to a specific subfolder instead of the root if specified
  • Better library name detection when admin and user have different language settings

You can find the new version here.

Excluding Skype for Business from ADFS MFA

When you want to use Skype for Business Online, but are using an on premises ADFS implementation and require MFA for all logins, Skype for Business will fail to authenticate. It cannot handle the ADFS Multi-Factor challenge because MFA is not yet supported for Office 365 Online Skype for Business tenants.

To exempt Skype for Business from your ADFS RPT, use the following claims rule


$rp = Get-AdfsRelyingPartyTrust -name "Microsoft Office 365 Identity Platform"

Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

*With thanks to the IT team at NHTV 😉