Category Archives: Exchange Online

Configure TLS relay on IIS for Exchange Online / Office 365

A while ago, you may have read that Microsoft will no longer allow relaying everything by default in Exchange Online when using normal authentication starting in february  july 2017.

So I went about and set my SMTP relay in IIS to use a certificate instead, as the article explains.  This resulted in a flood of bad mail drops with the following error:

Action: failed
Status: 5.7.57
Diagnostic-Code: smtp;530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

After messing around with this for a while, I discovered the outbound port you have to use when connecting to smtp.office365.com to relay a message using anonymous TLS is port 25, NOT port 587 as we were using before to submit mail using a user account + password.

For those who want to configure a relay server on IIS to allow applications and devices that don’t support TLS, I’ll set out the steps to configure this properly: Continue reading Configure TLS relay on IIS for Exchange Online / Office 365

Setting calendar permission in bulk

A simple snippet that’ll allow you to give a certain group PublishingAuthor rights to all calendars in your organization:


$mailboxes = get-mailbox -Resultsize Unlimited
foreach ($mailbox in $mailboxes){
try{
Remove-MailboxFolderPermission -Identity "$($mailbox.alias):\Calendar" -User INSERTUSERORGROUPNAMEHERE -Confirm:$False -ErrorAction Stop | Out-Null
Add-MailboxFolderPermission -Identity "$($mailbox.alias):\Calendar" -User INSERTUSERORGROUPNAMEHERE -AccessRights PublishingEditor -ErrorAction Stop | Out-Null
Write-Host "$($mailbox.alias) processed" -ForeGroundColor Green
}catch{
Write-Host "$($mailbox.alias) failed" -ForeGroundColor Red
}

}

A warning though, calendar permissions in Exchange Online can easily become corrupted. I’ve been in touch with support several times, but their only fix is to tell the user to remove and reapply the permissions, which is a sure way to annoy your users during migration.

So, communicate this in advance!

Exchange Forwarding Report

This powershell snippet will tell you which mailbox is actively forwarding email, in what method (dual delivery or pure forwarding), to which email address and if the corresponding contact still exists and is active.

#Module name: findForwarderDetails
#Author: Jos Lieben (OGD)
#Date: 01-04-2016
#Description: this snippet will discover all active forwarders in your organization, and will print the original mailbox, target contact and target address and forwarding method

$output = @()
$mailboxes = Get-Mailbox -ResultSize Unlimited | Where {$_.ForwardingAddress -ne $Null}

foreach ($mailbox in $mailboxes){

    $obj = New-Object PSObject
    $obj | Add-Member NoteProperty mailboxName($mailbox.DisplayName)
    if($mailbox.DeliverToMailboxAndForward){
        $obj | Add-Member NoteProperty forwardingMode("Dual delivery")
    }else{
        $obj | Add-Member NoteProperty forwardingMode("Forward Only")
    }
    try{
        $contact = Get-MailContact -Identity $mailbox.ForwardingAddress.DistinguishedName -ErrorAction Stop
        $obj | Add-Member NoteProperty forwardingToName($contact.DisplayName)
        $obj | Add-Member NoteProperty forwardingToEmail($contact.ExternalEmailAddress)
    }catch{
        $obj | Add-Member NoteProperty forwardingToName("CONTACT DOES NOT EXIST OR IS DISABLED")
        $obj | Add-Member NoteProperty forwardingToEmail("CONTACT DOES NOT EXIST OR IS DISABLED")
    }
    $output += $obj
}

Write-Output $output

Giving all users access to a mailbox in Office 365 – Exchange Online

So you noticed the ‘All Users’, ‘Everyone’ and ‘Domain Users’ groups are missing in Office 365! That’s a pity if you have a mailbox that your whole organisation should be able to access, because Dynamic Distribution lists can’t be used as a security group.

At first, I thought this would be as simple as enabling ‘Dedicated Groups‘ in AzureAD for the tenant. But no, apparently builtin groups already exist, but are simply invisible in the Office 365 / Exchange Online interface.

So, I looked up the SID of the group I wanted to add here, and used Powershell to add the group to the mailbox’s ACL. Here’s an example, where we’re giving Everyone access to a Office 365 shared mailbox called ‘Public Calendar’:


Add-MailboxPermission -Identity "Public Calendar" -User S-1-1-0 -AccessRights FullAccess

Note: these permissions will be invisible in the web interface of Exchange Online, user Get-MailboxPermission to verify / view them.

Warning: obviously, you should never give ‘everyone’ Full Access permissions to anything.

Automating remote mailbox creation in an Exchange 2010/2013 and Office 365 hybrid setup

In organisations that have moved to Office 365, or are moving to Office 365 while using a hybrid setup with an on-premises Exchange 2010, 2013 or 2016 server and/or Lync/Skype, your helpdesk tools and scripts need to be adjusted.

While previously, you would provision your account in Active Directory, the mailbox on the onpremises Exchange Server and voip functionality on the Lync/Skype server, after your migration, you no longer need to provision mailboxes or lync accounts on premises. After a user has been migrated to Office 365, his ‘user type’ in the Exchange on premises server is ‘Remote Mailbox’. But for new users, this is not set automatically.

If you’re using scripting or tools like ADManager, you can use some simple Powershell commands to set the correct properties on a newly created user.

Configure and run below script Continue reading Automating remote mailbox creation in an Exchange 2010/2013 and Office 365 hybrid setup