One of the gotchas you may encounter when migrating mailboxes to Exchange Online is none registered Accepted Domains in Exchange Online. For example you may encounter the below error;
ERROR: Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization –> You can’t use the domain because it’s not an accepted domain for your organization.
This maybe due to an email alias on a particular mailbox or all your organisation mailboxes due to an Email Address Policy. When migration to Exchange Online on you need to register all your accepted domains and remove any that may cause you the above issue.
In my case, I had domain.com registered with EXO but not extension.domain.com, as the alias was a legacy address you could be removed from the mailbox either using the Exchange Management Console or my favourite utility PowerShell.
Please ensure that Azure Active Directory has synchronize this change to your mailbox
So in recent months, I have been working a number of large organisation that have issues with special characters that are affecting their migration to the Microsoft Cloud. Yes, I IDFix does an excellent job of correcting a lot of the issues. However, in recent time I have been rolled into customer sites to troubleshoot and report on special characters contained in Distribution Lists and Shared Mailboxes which cannot be migrated to Exchange Online.
What special characters are supported in Office 365?
So first of all, what is and is not supported. The below table gives an excellent break down what the character can be supported in UserNames, Password and Email Addresses.
Allowed In
Character
Name
Character
User Name
Password
Email Address
Accent
`
No
Yes
No
Ampersand
&
No
Yes
No
Angle Brackets
< >
No
Yes
No
Apostrophe
’
No
Yes
Yes***
Asterisk
*
No
Yes
No
At Symbol
@
No
Yes
No
Backslash
\
No
Yes
No
Braces
[ ]
No
Yes
No
Brackets
{ }
No
Yes
No
Circumflex
^
No
Yes
No
Colon
:
No
Yes
No
Comma
,
No
Yes
No
Dollar Sign
$
No
Yes
No
Equal Sign
=
No
Yes
No
Exclamation Point
!
No
Yes
No
Hyphen
–
Yes*
Yes
Yes*
Number Sign
#
No
Yes
No
Parentheses
( )
No
Yes
No
Percent Symbol
%
No
Yes
No
Period
.
Yes*
Yes
Yes*
Pipe
|
No
Yes
No
Plus Sign
+
No
Yes
No
Question Mark
?
No
Yes
No
Quotation Mark
“
No
Yes
No
Semicolon
:
No
Yes
No
Forward Slash
/
No
Yes
No
Tilde
~
No
Yes
No
Underscore
_
Yes**
Yes
Yes**
Uppercase Letters (A-Z)
A-Z
Yes
Yes
Yes
Lowercase Letters (a-z)
a-z
Yes
Yes
Yes
Numerals (0-9)
0-9
Yes
Yes
Yes
In order to test for the special characters above I have created the following script
}
else
{
#Write-Host "Special Character",$char," not detected in " $object.UserPrincipalName
}
}
catch
{
Write-Host "Great News!! we was unable to detect",$char,"in samaccountnames for all Distribution List" -ForegroundColor Green
}
}
}
Data Loss Prevention has now been included into Microsoft but being a Skype for Business consultant have you ever configured DLP? Probably not.
So this post will look how it is configured from Start to Finish so let’s start with the standard prerequisites;
Office 365 Global Administrator Account
Launch Microsoft 365 Admin Center –> Select Security from under Admin Center
Admin Center
Click “More resources” and Open for Office 365 Security and Compliance Center
Click Data Loss Prevention –> Click Policy –> Click Create a policy
Data Loss Prevention
For the purpose of this post I will be creating a policy for covering UK National Insurance Numbers / Passport Numbers. DLP has a list of generic policies or you can configure a custom policy
Select –> Privacy –> Select UK Personally Identifiable Information (PII) Data –> Click Next
Polices
Click Next
Create Policy
At this stage you can select if you want to configure this policy for Exchange email, Microsoft Teams chat and channel messages, OneDrive and SharePoint Documents or specify a subset of services.
Select your required option –> Select Next
Microsoft Teams or All
Example of specifying a subset of services, at this stage you can also Include/Excludes Groups, Accounts and Sites.
Select options
Select Find content that contains
For this post, I am looking for PII data that is being shared outside my organisation.
Select Next
Configure Policy
Using the default options here but you can configure option to send incident report to a Distribution List or individuals. Select Next
Configure Policy
Select “I’d like to test it out first” or Yes, turn it on right away. This is depending if your organisation is ready for the big switch on. The tenant being used in this post is a test tenant will small amount of users.
Press Next
Configure policy
Review your configured settings –> Select Create
Review
Testing – DLP for Micorsoft Teams
So like with all things Microsoft, we have to wait for replication to take place before we can really start testing DLP. Please dont expect your change to work straight away as its needs to work its way through the big Microsoft cloud.
Email Notification that NINO Number has been shared using Microsoft TeamsWarning Message to the User that sent the NINO Number Email Notification that NINO Number detected in Exchange
So its safe to say DLP is now working within my tenant.
When working with customer environments it is very possible a 3rd party appliance maybe involved and for the purpose of this post I will be directly looking at Mimecast to see how its configured to work with Office 365.
Prerequsities
An Office 365 administrator logon with permission to create a send connector.
Your internal domains must already be registered with us.
A Mimecast administrator logon with at view permission to the Gateway | Accepted Email menu item.
Mimecast recommend that if you are switching MX records, this task must be completed 3 days before changing the MX record to point at Mimecast. The reason for this allows Mimecast to build your Auto Allow list, based on recipients your users send messages to.
This has a positive impact on inbound email delivery speed, because many senders will already be known and consequently not be subject to our greylisting security feature.
Updating the SPF Record for your Domain(s)
You must have an SPF record for the domain(s) registered with Office 365. When implementing Mimecast with Office 365, this record must be updated in the DNS zone for the relevant domain to include the following:
Replace with or add: v=spf1 include:_netblocks.mimecast.com ~all
Important Note: If your outbound email is temporarily coexisting with Mimecast, you can leave the v=spf1 include:spf.protection.outlook.com –all SPF record. However, it must be removed once all your outbound email is routed through Mimecast.
Configuring Outbound Routing
Important Note: Mimecast has known issue with browsers that are not Internet Explorer and its recommend this process is completed using Internet Explorer only. All other browsers tested have issues.
Recommendation: Disable or remove any other Outbound Send Connectors. Failure to do this means your outbound email still uses these and isn’t routed through us.
Any send connectors used for other purposes (e.g archiving) may still be enabled. If in doubt, consult Mimecast Support.Any send connectors used for other purposes (login archiving) may login be enabled. If in doubt, consult Mimecast Support.
Adding the Office 365 Tenant Domain as an Internal Domain
Your Office 365 tenant domain must be added to the list of internal domains available in the Mimecast Administration Console. See the Configuring Internal Domain / Subdomains page for full details. This enables us to recognize certain auto response messages, where the sender address is not a normal internal domain. This is typically in the format @domain.onmicrosoft.com. Contact the Mimecast Support team if you have queries regarding this step.
Once this step is complete, Office 365 must be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.
To verify that Office 365 is successfully routing email outbound via us:
Log on to the Offic 365 Administration Console.
Select Admin | Exchange
Exchange Admin Centre
Select Mail Flow | Connectors Create a Connector
Mail Flow | Connectors
Select Office 365 – From Field Select Partner organization – To Field
Mail Flow Scenari
Enter Name for Connector Enter Description for Connector – Optional Ensure “Turn it on” is ticked
Select “Only when email messages are sent to these domains” Press the ( + )
Type the value * which will allow all outbound email to Mimecast
Press Next
Select “Route email through these smart hosts” Press the ( + )
Now, depending on your location you will need to use the Smart Host address from the table
Region
Office 365 Account Hostnames
America
us-smtp-o365-outbound-1.mimecast.com
America
us-smtp-o365-outbound-2.mimecast.com
Australia
au-smtp-o365-outbound-1.mimecast.com
Australia
au-smtp-o365-outbound-2.mimecast.com
Europe (Excluding Germany)
eu-smtp-o365-outbound-1.mimecast.com
Europe (Excluding Germany)
eu-smtp-o365-outbound-2.mimecast.com
Germany
de-smtp-o365-outbound-1.mimecast.com
Germany
de-smtp-o365-outbound-2.mimecast.com
Offshore
je-smtp-o365-outbound-1.mimecast-offshore.com
Offshore
je-smtp-o365-outbound-2.mimecast-offshore.com
South Africa
za-smtp-o365-outbound-1.mimecast.co.za
South Africa
za-smtp-o365-outbound-2.mimecast.co.zaM
As shown below
Smart Host for Mimecast
Press Next
Select “Always use Transport Layer Security (TLS) to secure this connection (recommended)” Select “Issued by a trusted certificate authority (CA)
Before pressing next please ensure that you confirm all your configured settings Press Next
Press the ( + ) this will allow you to validate the connector
Enter an external email to send the test email
Click Validate
If everything is ok and configured correctly you should see a success message
Press save !!! and your all done
Success!!!
Recommendation: Disable or remove any other Outbound Send Connectors, if this is not completed it may cause email to fail as it won’t be routed through Mimecast
But if doing the above seems a bit boring, there’s always PowerShell 🙂
Add your Office 365 domain as an internal domain in Mimecast
The Office 365 domain(s) must be added to the list of internal domain available in the Mimecast Administration console, if this action is missed. Mimecast are unable to recognise auto response message where the send address maybe @domain.onmicrosoft.com. Mimecast have a section about this on their website, please follow the link below. Configuring Internal Domain / Subdomains
Verify your configuration
To verify that Office 365 is successfully routing email outbound via us:
Log on to the Administration Console.
Click on the Administrationtoolbar button.
Select the Message Center | Accepted Messages menu item.
You should see messages from your organization’s internal users to external recipients. If you don’t see messages shortly after they’re sent, this indicates a configuration problem on your Office 365 send connector. Double check your configuration. Use the Office 365 Message Trace Tool in the Mail Flow | Message Trace menu of the Exchange Admin Center to help identify the issue.
Important Note: Once this step is complete, Office 365 must be added to your authorized outbounds as an umbrella account. View the Maintaining Authorized Outbound Addresses page for more information.
If there’s one thing most IT department are not great at its removing Exchange Mailboxes for Disabled Users. So here’s a quick Powershell win to determine who within your Exchange organisation has a mailbox and a disabled AD account.
While constructing a PowerShell script for gathering information about Distribution Lists within a customers environment, I ran into the following error
Method invocation failed because [System.Management.Automation.PSObject] doesn’t contain a method named ‘op_Addition’.
ERROR!!!
1
This error was being generated by a missing array within my PowerShell code
PowerShell is one of the greatest tools within any IT Professional toolkit, it enables you to do far more than any GUI available to you today. In my life as a Consultant for a Global Microsoft SI (System Integrator), I face challenges every day where PowerShell has come to the rescue. One of the best cmdlet I use in a lot of script is
ForEach which is the alias name of ForEach-Object
Imagine you need to modify an ExtensionAttribute for your entire organization or grant a permission to a subset of users, ask yourself this? How would I do this in a GUI? and the answer would be “with great difficulty or very time consuming”. This is Foreach-Object comes into play, in the below example I need to modify the PrimarySMTPAddress due to special characters being used
Get-DistributionGroup
In order to correct this, I will be using a source CSV file which contains SamAccountName for the identity of each DistributionList and the correct PrimarySMTPAddress.
Source CSV file
Now for the most important element, the powershell script which will be used to modify the PrimarySMTPAddress. The below script has been designed to achieve the required outcome but also includes the ability to;
Be ran using native PowerShell for On-Premises Exchange Servers (2007 through to 2019)
Be ran against Exchange Online
So as we can see the Foreach command is being used in the following;
For each $row within the $csv which is being imported try and get the distribution list using the column heading SamAccountName
If the Identity cannot be found the script will move to the catch
If the Identity can be found the script will set the distribution list using the column heading PrimarySMTPAddress
The catch is alert if there are any unsuccessful attempts at setting the PrimarySMTPAddress
Simples!!
Clear-Host $file = "$env:USERPROFILE\OneDrive\Desktop\groups.csv" $csv = import-csv -Path $file region Exchange Module SnapIn # Exchange 2007 #Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin; # Exchange 2010 #Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010; # Exchange 2013/2016 #Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; endregion Transcript Start-Transcript -Path $env:USERPROFILE\OneDrive\Desktop\Get-DistributionGroup.txt Foreach ($row in $csv) { try { Get-DistributionGroup -Identity $row.SamAccountName | Set-DistributionGroup -PrimarySmtpAddress $row.PrimarySmtpAddress Write-Host 'INFO:' ($row.SamAccountName),'Primary SMTP Address has now been modified to',($row.PrimarySmtpAddress) -BackgroundColor Green } catch { Write-Host 'ERROR:' ($row.SamAccountName),'Primary SMTP Address has not been modified to',($row.PrimarySmtpAddress) -BackgroundColor Red } } Stop-Transcript Get-DistributionGroup
I have included Start-Transcript as this will dump out all Write-Host entry whether they was successful or not.
When working with Exchange there may be a requirement to create a PowerShell script using PowerShell ISE. Even if you run ISE on a Exchange Server you are unable to get the Exchange cmdlet in ISE, so the workaround for this is to use the following command;
If you are trying to add the Exchange cmdlets to your client machine you will need to Install the Exchange Management Tools from the Exchange installation media
The command to import the Exchange modules is different for each version – please use the appropriate command below:
Before the joys of Export-CSV there used to be another way of dumping Active Directory data to CSV using again native tooling. In a recent project I have had to rediscover the old ways and go back to school to learn the required switches, which I am now going to share with you all.
Switch
Description
-a
UserDistinguishedName
Password. If you must use these switches, then treat -a and -b as
a pair. A likely scenario is that you are logged on as
non-administrator and wish to run CSVDE against your Active Directory.
As a non-administrator, you would get an error unless you employ these
switches to connect with the correct credentials
-b
UserDistinguishedName
Password. If you must use these switches, then treat -a and -b as
a pair. A likely scenario is that you are logged on as
non-administrator and wish to run CSVDE against your Active Directory.
As a non-administrator, you would get an error unless you employ these
switches to connect with the correct credentials
-c
String1 String2. This
switch replaces all olddomain names in String1 with newdomain names
String2. Could be used to change all dc=oldom distinguished name in the
export domain (String1) with dc=newdom of the import domain (String2).
-d
This is useful filter switch for
when you want to export from just one OU. Use the -d switch to set the
root directory for the export. For example, if you are only interested
in an OU called Newport type, CSVDE -f export.csv -d
“OU=mycompany,DC=domain,DC=com”.
Note, there are no spaces between domain,DC=com.
-f
filename is a mandatory switch
for both import and export. Simply specify the .csv file for transfer
data. It makes life easier if this file is in the same directory as you
issue the CSVDE command. Here is an export example CSVDE
-f export.csv
-g
Omits paged
searches. I have never bothered with this switch.
-i
Switches CSVDE to import
mode. For example, CSVDE -i -f export.csv. Remember that the default mode is export, in which case
it’s just plain CSVDE -f FileName.csv
-j
Path Sets the log file
directory. The point of a log file is that it’s permanent where as the
-v verbose mode is ephemeral. -j creates one or two log files. It
always creates a file called csv.log, additionally it creates csv.err if it encounters
any errors.
-j
Trap: As far as I can see
without the -j switch, CSVDE will not create a log file at all. I
mention this as other documentation suggests that you are just setting the
path, in my opinion, with -j you are creating the file as well as setting its
path.
-k
Useful for ignoring simple
errors: “Object already exists,” “Constraint violation,”
and “Attribute or value already exists.” I almost always use
this switch as part of the CSVDE import command
-l
LDAP Attributes. On
the one hand, I think of L for list, on the other hand I think of -l as a
column-wise filter. What this switch does is export only the LDAP
properties that you are interested in and ignores the rest of the attributes.
Example CSVDE -f export.csv -l “DN,
objectclass, objectcategory, givenName, sn”.
Note the position of speech marks and commas.
-m
Another column-wise
filter. Omits Active Directory properties such as the ObjectGUID, objectSID, pwdLastSet
and samAccountType
attributes.
I hope these switches help you, like they have helped me and credit to all the previous bloggers which enabled me to get this list together.
![Method invocation failed because [System.Management.Automation.PSObject] doesn’t contain a method named ‘op_Addition’.](https://i0.wp.com/www.blogabout.cloud/wp-content/uploads/2019/04/2019-04-01_10-29-12.jpg?fit=960%2C356)
