Say goodbye to your legacy PSGallery modules with Get-InstalledModuleUpdate.ps1

Say goodbye to your legacy PSGallery modules with Get-InstalledModuleUpdate.ps1

Working as a Microsoft Cloud Consultant sometimes its hard to keep update to all the latest release of the required PowerShell modules installed on your client machine. Would it be nice if there was a script that took all that pain away?

Say hello to Get-InstalledModulesUpdate.ps1 script

baby groot hello GIF

This script is based off my Microsoft Teams Detection script but instead of looking at just that module. I am grabbing all your installed PowerShell module and checking each one against the PSGallery

Module checking

As you can see from my screen shot the script has looked at each modules installed on my client machine and compared to the online version. If a legacy module was detected the update process would start to remove the old version and install the latest from the gallery.

This script is available via my Github or via this site.

Download

Get-InstalledModulesUpdates.ps1 (3 downloads)

Change Log

Version 1.0 – Features

  • Initial release

Version 1.1 – Features

  • Minor updates to code structure

Regards

The Author – Blogabout.Cloud

New functionality now in preview for Conditional Access

New functionality now in preview for Conditional Access

So I was happily minding my own business looking at the configuration of my Conditional Access and notice 3 new options have appeared;

  • Baseline policy: End user protection (Preview)
  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

Baseline policy: End user protection (Preview)

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

This policy is either On or Off and you can also exclude users from receiving this policy

Baseline policy: Block legacy authentication (Preview)

This policy blocks all sign-ins using legacy authentication protocols that don’t support multi-factor authentication (such as IMAP, POP, SMTP). The policy does not block Exchange ActiveSync.

  • Office 2013 (without registry keys)
  • Office 2010
  • Thunderbird client
  • Legacy Skype for Business
  • Native Android mail client

This policy is either On or Off and you can also exclude users from receiving this policy. This policy is great as I have configured a custom built policy for just this but my policy also includes Exchange Active Sync.

Baseline policy: Require MFA for Service Management (Preview)

This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA).

Services requiring MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

This policy is either On or Off and you can also exclude users from receiving this policy

Its great to see some more brilliant developments in Conditional Access and really excited to see these go live with customers.

Regards
The Author – Blogabout.Cloud

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2.

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2.

When rolling out a Skype for Business 2015 Front End, I ran into the following issue after running the Deployment Wizard Step 2;

Skype for Business Deployment Wizard Error

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2.  For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376.

At closer investigation of the Deployment Wizard I could see that KB2982006 is missing from the Windows 2012 R2 OS

The operating system was completely up to date with all latest Microsoft Updates, so in this case I used my trusted steed “PowerShell” to check if all the required windows updates where applied for KB2982006


Get-Hotfix KB2919442,KB2919355,KB2982006

This PowerShell command checks for the required KBs as well as the missing KB2982006

The resolution for installing KB2982006 is a simple one but you are required to use Deployment Image Servicing and Management otherwise known as DISM to install the KB

Resolution Steps

Download the KB to a location on your Server, for this Ill be using a temporary folder on the C: Drive called Patch. PLEASE NOTE: The folder must exist before running the below command.

Launch the Windows PowerShell console.

Type the following command;
expand -F:* C:\Patch\Windows8.1-KB2982006-x64.msu C:\Patch\KB2982006

Now type the following command;
dism.exe /Online /Add-Package /PackagePath:C:\Patch\KB2982006\Windows8.1-KB2982006-x64.cab

If you rerun Get-Hotfix KB2919442,KB2919355,KB2982006 you should now see the KB2982006 hotfix installed.

You will now be able to successfully complete Step 2 of the Deployment Wizard and build your Skype for Business Front End.

Regards

The Author – Blogabout.Cloud

Working with Variables located in PowerShell Functions

Working with Variables located in PowerShell Functions

I have been recently working on updating a number of my PowerShell scripts and ran into an issue where my variables were unavailable within a function. The resolution for this is making the variables globally available to all the function(s) that are contained within your script.

So, as you can see below. I have configured my script blocks into Functions and converted the Parameter variables into $Global: variables. This will allow the Get-MailMessage function to use the $Global: variables within its own function

Without $Global:
With $Global:

However, there is one more step required to ensure that the variables can use the globally defined variables. I have a configure region within my script that contains all my defined variables and in here I have put for example $Global:Variable = $Global:Variable

$Global:Variables = $Global:Variables

As you can see from above image the variables located in New-MailMessage function are not highlighted in yellow.

Tools of the trade

The reason for the highlighted variables within my script, I use a tool called PowerShell ISE http://www.powertheshell.com. There is a slight cost but well worth it if you are regularly building scripts.

Regards

The Author – Blogabout.Cloud

Azure Active Directory Connect – Exchange Mail Public Folders

Azure Active Directory Connect – Exchange Mail Public Folders

Microsoft has included the official release of Exchange Mail Public Folders within the AAD Connect tool. This option enables support for Public Folder by synchronizing a specific set of attributes for Mail-Enabled Public Folders so they represented in Azure AD. This synchronization is required for including the public folders addresses in Directory-Based Edge Blocking.

If you have configured Directory Based Edge Blocking, please visit my post on how it is done. http://www.blogabout.cloud/2019/05/697/

This new feature from Microsoft doesn’t create actual public folder objects in Exchange Online directory, there is additional sychronization steps via PowerShell that is required if you are using Exchange Online.

You should ensure that “Microsoft.Exchange.System Objects” OU is also selected in OU Filtering, (it is selected by default)

The additional PowerShell are as followed;

Please Note:

If you have Exchange 2010 public folders, see Configure legacy on-premises public folders for a hybrid deployment.

Step 1: Download the scripts

Download the following files from Mail-enabled Public Folders – directory sync script:

  • 1
    Sync-MailPublicFolders.ps1
  • 1
    SyncMailPublicFolders.strings.psd1

Save the files to the local computer on which you’ll be running PowerShell. For example, C:\PFScripts.

Step 2: Configure directory synchronization

Directory synchronization service doesnt sync all mail-enabled public folders the scripts outlined in step 1 will synchronize these objects across on-premises and Office 365. Any special permissions will need to be recreated as these are currently unsupported by Microsoft. Synchronized mail-enabled public folder will appear as mail contact objects for mail flow purposes. These contacts will not be viewable via Exchange Admin Centre and can only be viewed using Get-MailPublicFolder

Permissions

In order to recreate the SendAs permissions in the cloud, you will need to use the Add-RecipientPermission cmdlet.

On the Exchange Server, run the following PowerShell command to synchronize mail-enabled publics


1
Sync-MailPublicFolders.ps1 -Credential (Get-Credential) -CsvSummaryFile:sync_summary.csv

Recommendation

It is always recommended to use the -Whatif parameter to simulate the action before making environmental changes.
Step 3: Configure Exchange Online users to access Exchange Server on-premises public folders

Step 3: Configure Exchange Online users to access Exchange Server on-premises public folders

The final step in this procedure if to configure your Exchange Online organsation to allow access to the Exchange Server Public Folder, this is completed by running the following command in Exchange Online.


1
Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes Mailbox1,Mailbox2,Mailbox3

The waiting game…

It may take up to 3 hours before the Active Directory synchronization has completed. Once completed, Log on to Outlook for a user who is in Exchange Online and perform the following public folder tests;


View the hierarchy.
Check permissions
Create and delete public folders.
Post content to and delete content from a public folder.

Regards

The Author – Blogabout.Cloud

Directory Based Edge Blocking in Exchange Online or (DBEB for short)

Directory Based Edge Blocking in Exchange Online or (DBEB for short)

What is DBEB? It is a solution that allows an organization to reject message for invalid recipient at the service network perimeter. DBEB enables your Office 365 Global Administrator to add mailed-enabled recipients to Office 365 and block all messages sent to email address that aren’t present in Office 365.

Valid messages are then subject to the rest of the service filtering layers which are;

Antimalware
Antispam
Mail Flow Rules (otherwise knows as Transport Rules)

Invalid messages are blocked before filtering even occurs, and a non-delivery report (also known as an NDR or bounce message) is returned to the sender. The NDR looks like this:

1
550 5.4.1 [<InvalidAlias>@\<Domain>]: Recipient address rejected: Access denied

Important Note

In hybrid environments, in order for DBEB to work, email for the domain must be routed to Office 365 first (the MX record for the domain must point to Office 365).

Configuring DBEB

First of all, you need to verify that your accepted domain EXO is an Internal Relay, this is done by going to Exchange Admin Console –> Mail Flow –> Accepted domains.

If, your domain type is Authoritative you will need to click the edit button and set to internal relay

Adding your users to Office 365

In the EAC, go back to Mail flow > Accepted domains.

Select the domain and click Edit.
Set the domain type to Authoritative.
Choose Save to save your changes, and confirm that you want to enable DBEB.

  • Until all of your valid recipients have been added to Exchange Online and replicated through the system, you should leave the accepted domain configured as Internal relay. Once the domain type has been changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the service (except for mail-enabled public folders). There might be infrequent instances where recipient addresses that do not exist in your Office 365 organization are allowed to relay through the service.
  • For more information about DBEB and mail-enabled public folders, see Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders.

Regards.
The Author – Blogabout.Cloud

HCW8078 – Migration Endpoint could not be created

HCW8078 – Migration Endpoint could not be created

Quicktips: Notes from the field

While running the Exchange Hybrod Configuration Wizard I ran in the following issue;

HCW8078 – Migration Endpoint could not be created
Microsoft.Exchange.Migration.MigrationServerConnectionFailedException
The connection to the server ‘http://mail.domain.com’ could not be complete

This issue is a known issue to Microsoft and the resolution is the good old “Have you tried turning it off and on?”

The It Crowd Chris Odowd GIF - Find & Share on GIPHY

The resolution was to Disable MRSProxyEnabled, this can be easily completed for all servers using;

Get-WebServiceVirtualDirectory | Set-WebServiceVirtualDirectory -MRSProxyEnabled $False

Get-WebServiceVirtualDirectory | Set-WebServiceVirtualDirectory -MRSProxyEnabled $True

This script will need to repeat this process for all your servers where MRSProxy is being used.
Invoke-Command -ComputerName Server1 -ScriptBlock {iisreset /restart}

Once you have completed the below steps you will be able to successful rerun the Hybrid Configuration Wizard without any errors

Regards
The Author – Blogabout.Cloud

The Great Wall in Microsoft Teams – Information Barrier in Preview

The Great Wall in Microsoft Teams – Information Barrier in Preview

Another great feature now become available in Microsoft Teams Preview – Information Barrier. This enables organization to prevent communicate between Teams within their own Office 365 tenant. The information barrier groups cannot be applied across tenants and using bots to add users is not supported in version 1. Information barrier policies also prevent lookups and discovery. This means that if you attempt to communicate with someone you should not be communicating with, you will not find that user in the people picker.

You might want to use information barriers in situations like these:

  • A team must be prevented from communicating or sharing data with a specific other team.
  • A team must not communicate or share data with anyone outside of the team.

In order to manage the Information Barrier policy you will need to use the Security and Compliance Centre (SCC) PowerShell cmdlets

The information barrier features is in private preview. When these features are generally available, they’ll be included in the following subscriptions;

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 E5 Compliance

Microsoft Teams is firmly becoming the powerhouse that was sold at its initial launch and I can only this product becoming adopted a lot more by organisations

Regards

The Author – Blogabout.Cloud

Microsoft Teams module now in GA

Microsoft Teams module now in GA

Its been a long road but Microsoft Teams PowerShell module version 1.0.0 is now available in GA. Microsoft has been working very hard in creating this module and have removed/introduction features into this release. So lets have a look at what we now can and cannot do with Microsoft Teams

So what’s removed?

So Microsoft have removed the following cmdlets

  • Get-TeamFunSettings
  • Get-TeamGuestSettings
  • Get-TeamMemberSettings
  • Get-TeamMessagingSettings
  • Set-TeamFunSettings
  • Set-TeamGuestSettings
  • Set-TeamMemberSettings
  • Set-TeamMessagingSettings

But do not fear, as the same functionality of these cmdlets have been integrated into Get-Team and Set-Team.

So what’s new?

  • Connect-MicrosoftTeams allows you to specify a Teams Government Environment (-TeamsEnvironmentName) that your organization is homed in.
  • Get-Team allows you to specify new filter and selection criteria to identify specific teams based off of new criteria, including the Visibility or Archived state of the teams.

So its time to start playing with the Teams module and seeing what interesting scripts can be generated.

Please Note: It is recommended to uninstall any previous version you may have installed. So check out this previous blog post i created

http://www.blogabout.cloud/2018/09/240/


Regards
The Author – Blogabout.Cloud

Exchange Online: You can’t use the domain because it’s not an accepted domain for your organization

Exchange Online: You can’t use the domain because it’s not an accepted domain for your organization

One of the gotchas you may encounter when migrating mailboxes to Exchange Online is none registered Accepted Domains in Exchange Online. For example you may encounter the below error;

ERROR: Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization –> You can’t use the domain because it’s not an accepted domain for your organization.

This maybe due to an email alias on a particular mailbox or all your organisation mailboxes due to an Email Address Policy. When migration to Exchange Online on you need to register all your accepted domains and remove any that may cause you the above issue.

In my case, I had domain.com registered with EXO but not extension.domain.com, as the alias was a legacy address you could be removed from the mailbox either using the Exchange Management Console or my favourite utility PowerShell.

Please ensure that Azure Active Directory has synchronize this change to your mailbox

Set-Mailbox <identity> -EmailAddresses @{remove=”<E-mail address>”}

Regards

The Author – Blogabout.Cloud