Category Archives: Office 365

Provisioning Exchange Online / Office 365 Custom Roles automatically from Okta

Natively, when connected to Office 365, Okta allows you to automatically provision users and/or groups. Additionally, Okta will assign licenses you select, and if configured, set predefined roles in Office 365. This means you have one locus of control, very nice.

Then, Exchange Online allows you to define custom roles where you can scope permissions for your users with far greater granularity compared to the default roles, Okta won’t detect or provision users into these custom roles.

As this was a business requirement for a customer, I coded up a small proof of concept you can schedule that will read membership of selected groups in Okta through the Okta API, then ensure that ONLY those members are in the matching role groups in Exchange Online.

Continue reading Provisioning Exchange Online / Office 365 Custom Roles automatically from Okta

OnedriveMapper v3.10 released!

Version 3.10 of OneDriveMapper has been released!

  • handle the new tile / prompt that appears in IE login mode where Microsoft no longer always redirects to the portal
  • Progress bar color is now a configurable option (cloud/non cloud)
  • alphabetic ordering of configs (cloud only)
  • Fixed auto update loop issue where auto update would break itself for subsequent updates.
  • When restarting self (switching auth mode or auto updating) properly hide the console if this was set

Important Auto Update Instructions

If you were using Auto-Update, DO NOT do so for this version. Use the MSI to replace the old version (see last fixed issue).

New Azure AD Signin experience

As some may have read, Microsoft is previewing a potentially disruptive change without advance notice. My tenants don’t yet display the new behavior so I cannot test if OnedriveMapper will be affected. I haven’t heard of any issues yet 🙂

Get the new version here

GroupSync v0.56 available!

Version 0.56 is out, changes since v0.50:

  • prevent running twice (if scheduled task hangs for some reason)
  • send email notification if logfile is locked
  • replace add-adgroupmember and remove-adgroupmember with set-adgroup because of a known bug in these commands
  • multi-delete protection
  • auto reconnect to Exchange Online when the connection times out + longer timeout
  • additional filtering method for groups: extensionAttribute2
    • If you want to use this instead of the displayName prefix filter, read up on how to switch

Get it here

Onedrive Files On Demand is finally coming!

I’ve been ‘mentioning’ it a few times here and there, wasn’t allowed to say too much….but now it is finally public, coming before the end of the year Onedrive will have a sync on demand feature, no longer requiring local storage on your device!

It will allow all of us OnedriveMapper users to switch to a fully supported Microsoft solution for Windows 10 users.

Quirky thing is, Windows 7 and 2008 / 2012 R2 are not in scope. Possibly another good one to vote on at uservoice 🙂

O365Undo updated for O365 Groups

O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare.

These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.

This new version also protects Office 365 Groups.

Read more or download the script

Using Powershell to check a user’s tenant logon setting in Office 365 (without logging in)

I was interested in being able to see, for any given email, what type of authentication Microsoft requires for that user. This could be Office 365 (Azure AD) native, ADFS, etc.

Powershell can easily help you out:

Add-Type -AssemblyName System.Web
$uidEnc = [System.Web.HttpUtility]::HtmlEncode($uid)
$res = Invoke-WebRequest -Uri -SessionVariable cookies -Method Get -UseBasicParsing
$stsRequest = ($res.InputFields | where {$_.Name -eq "ctx"}).Value
$flowToken = ($res.InputFields | where {$_.Name -eq "flowToken"}).Value
$canary = ($res.InputFields | where {$_.Name -eq "canary"}).Value
$res = Invoke-WebRequest -Uri "$uidEnc&api-version=2.1&stsRequest=$stsRequest&checkForMicrosoftAccount=false" -WebSession $cookies -Method GET -UseBasicParsing

The response will contain a redirect to another authentication provider (ADFS) or Azure AD Native. This is an example JSON response:

{"NameSpaceType":"Managed","Login":"","DomainName":"","FederationBrandName":"Lieben Consultancy","TenantBrandingInfo":null,"cloud_instance_name":""}

If you also wish to include Microsoft accounts, set the checkForMicrosoftAccount parameter in the second request to true

AzureAD Connect SSO
If you’re using AzureAD Connect SSO, you can use the above to check if this is correctly set in Office 365. The JSON response will contain a propert is_dsso_enabled, which will be set to True

Copy local AD contacts to O365

Recently I needed a basic method to copy over contacts from a local AD to O365, and in cases where a read-write contact already exists; update it. The scenario made sense, as we were working with multiple source AD’s where some had contacts of each other’s mail users, causing adsync conflicts. Thus we decided to take contacts out of ADsync scope and just copy them once.

The logic of the attached script is as follows:









Note that the script ONLY imports the displayname, primary and all secondary email addresses, and sets an extra X500 address for the legacy exchangeDN to avoid outlook cache hit misses.

If you need it, here’s a download link:


New-DlpComplianceRule usage / example

I was messing around a little with Office 365 Compliance settings using Powershell, as I’d like to configure a large number of tenants with certain Data Loss Prevention (DLP) rules based on sensitive data in Sharepoint Online, Onedrive for Business and  Exchange Online.

I then noticed that it wasn’t possible to use New-DlpComplianceRule in conjunction with predefined or custom sensitive data types, my code + error:

New-DlpComplianceRule -Name "SocialSecurityRule" -Policy "JosLTest" -ContentContainsSensitiveInformatio
n @{Name="Credit Card Number"; minCount="2"} -BlockAccess $True
The value specified in sensitive information is invalid.
+ CategoryInfo : NotSpecified: (:) [New-DlpComplianceRule], InvalidContentC...mationException
+ FullyQualifiedErrorId : [Server=DB5EUR01WS007,RequestId=4a19a0bd-abea-4e06-9dc1-47fc35be9d63,TimeStamp=16-11-201
6 12:02:24] [FailureCategory=Cmdlet-InvalidContentContainsSensitiveInformationException] D7D004DA,Microsoft.Office
+ PSComputerName :

Fun thing is, this is actually exactly as Technet shows how it should be done.

So I called support, apparently this is a bug. So, for now, if you want to create a DLP compliance policy and rule, follow this example: Continue reading New-DlpComplianceRule usage / example