TechShizz | All posts tagged 'Office 365'

Office 365 - Leavers script

This script is designed to be used with the script password encryption for Office 365. See here https://www.techshizz.com/post/powershell-script-password-ecryption-for-multi-site-administration for more info. 

The out of office part of the script relies on invoking two other scripts I have made. 

Out of Office

Out of Office Custom

## The following four lines only need to be declared once in your script.
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes","Description."
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No","Description."
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)

## Auto Reply Function
function AutoReply {
$menu=@"

You can now set an out of office, or Quit.

1 Out Of Office - Set template (Must provide alternate contact details)
2 Out of Office - Set a custom message

Q Quit

Select a task by number or Q to quit
"@

Write-Host "Out Of Office" -ForegroundColor Cyan
$r = Read-Host $menu

Switch ($r) {
"1" {
    Write-Host "Loading..." -ForegroundColor Green
    Invoke-Expression -command .\_04Out_Of_Office.ps1
    Exit
}

"2" {
    Write-Host "Loading..." -ForegroundColor Green
    Invoke-Expression -command .\_05Out_Of_Office_Custom_Message.ps1
    Exit
}

"Q" {
    Write-Host "Removing any PS Sessions..." -ForegroundColor Green
    Get-PSSession | Remove-PSSession
    Exit
}

default {
    Write-Host "Choose a valid option... Fool!" -ForegroundColor Yellow
}
} #end switch 
}


Import-Module MSOnline
$rootpath = (get-item '.\' ).parent.FullName
$clientname = Get-Content "$rootpath\client.txt" -Raw
$user = Get-Content "$rootpath\UserID.txt"
$PasswordFile = "$rootpath\Password.txt"
$KeyFile = "C:\ICU\AES.key"
$key = Get-Content $KeyFile
$UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Write-Host "Connecting to Exchange Online for $clientname"
Import-PSSession $Session
Write-Host "Connecting to Office 365..."
Connect-MsolService -Credential $UserCredential

## Prompt to search for email address
function EmailSearch {
$title = "Email Search"
$message = "Do you want to search for an email address before you start?"
$result = $host.ui.PromptForChoice($title, $message, $options, 1)
switch ($result) {
    0{
        $search = Read-Host "Enter Name to Search"
        Write-Host "Searching..."
        Get-Mailbox | Where-Object { $_.Name -Like "*$search*" } | Select-Object DisplayName,PrimarySmtpAddress | Format-Table
        
	EmailSearch
    }1{
        Write-Host "Exiting Search..."
        }
}
}


function RemoveUser{
#Block User Sign in
Write-Host "Blocking User Sign-in Access..."
Set-MsolUser -UserPrincipalName $emailaddress -BlockCredential $true
#Convert Mailbox to shared
Write-Host "Converting Mailbox to Shared..."
Set-Mailbox $emailaddress -type Shared
Write-Host "Waiting for mailbox to finish converting..."
Start-Sleep 30
#Remove Users Licence
Write-Host "Removing Office 365 License..."
$O365User = Get-MsolUser -UserPrincipalName $emailaddress
Set-MsolUserLicense -userprincipalname $emailaddress -Removelicenses $O365User.Licenses.AccountSkuID
}

## Prompt to add deligate access repated
function DeligateAccessLoop {
$title = "Deligate Access"
$message = "Do you want to provide access to the mailbox to someone else?"
$result = $host.ui.PromptForChoice($title, $message, $options, 1)
switch ($result) {
    0{
        $deligate = Read-Host "Enter the email address of the deligate"
        Add-MailboxPermission –Identity $emailaddress –User $deligate –AccessRights Fullaccess
        Write-Host "Adding Mailbox permissions..." -ForegroundColor Cyan
        DeligateAccessLoop
    }1{
        AutoReply
        EXIT
        }
}
}

function RemovefromDistros {
$title = "Remove from groups"
$message = "Do you want to remove this user from all distro groups in the tenant?"
$result = $host.ui.PromptForChoice($title, $message, $options, 1)
switch ($result) {
    0{
    Write-Host "Output will show errors for each group that the user was not a member of, this is noraml, press enter to continue."
    pause
    $DGs= Get-DistributionGroup
    foreach($dg in $DGs)
    {Remove-DistributionGroupMember $dg.name -Member $emailaddress -confirm:$false}
    }
    1{
    
        Write-Host "Skipping Distro Removal..."
    }
    }
    }

EmailSearch

#Grab User ID
$emailaddress = Read-Host "Enter the users Email address"

RemoveUser
RemovefromDistros
DeligateAccessLoop

Read Receipts showing wrong time or time zone for Office 365 mailbox

If you get read receipts that state the time it was read was the previous day, or the time is just wrong this could be to do with the time settings on the mailbox.

Microsoft have a poor guide on this explaining WHY it happens, but does not say how to resolve it. 

https://support.microsoft.com/en-gb/help/2800633/read-receipt-from-an-office-365-recipient-displays-incorrect-time-zone-information

Here is the solution:

We can check this by first connecting to Office 365 via Azure PowerShell, and then running the follwing command. 

Get-MailboxRegionalConfiguration -Identity rtownsend@domain.co.uk | fl

If the TimeZone is wrong, it will be obvious. You will need to change it to your users local time zone. To see a list of time zones run this command in PowerShell.

$TimeZone = Get-ChildItem "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Time zones" | foreach {Get-ItemProperty $_.PSPath}; $TimeZone | sort Display | Format-Table -Auto PSChildname,Display

Once you know your time zone, run the following (replacing your correct time zone). 

Set-MailboxRegionalConfiguration -Identity rtownsend@domain.co.uk -TimeZone "GMT Standard Time"

https://technet.microsoft.com/en-us/library/dd351103(v=exchg.160).aspx

 

Error: "The security certificate has expired or is not valid" in Outlook

After migrating companies from on-premises exchange to Office 365, user may see the following error. 

"The security certificate has expired or is not yet valid"

This is because the local exchange server, although switched off still runs the IIS portion of exchange. The OWA is pointing users Outlook to look the the previous certificate that was used, not Microsoft's servers.

To fix this we need to amend the AutoDiscoverServiceInternalUrl value. 

1. Log on to the old on-premeises exchange and start the Exchange Power Shell

2. Check current value by running:

Get-ClientAccessServer -Identity "[SERVERNAME]" | Format-List

I would recommend screen taking a screen shot of this in case you need to revert back. Next, ping your office 365 autodiscover record and verify it's correct. E.g.

Ping autodiscover.domain.com

If all is OK you need to update as follows:

Set-ClientAccessServer -Identity "MBX-01" -AutoDiscoverServiceInternalUri "https://mbx01.contoso.com/autodiscover/autodiscover.xml"

Once this is done, clear the DNS server cache and restart the DNS service. Then on the client machines flush dns:

ipconfig /flushdns

This should resovle the error

Ref: https://technet.microsoft.com/en-us/library/bb125157(v=exchg.160).aspx

Outlook wont Load stuck on profile loading: Error: X-AutoDiscovery-Error: LiveIdBasicAuth:FederatedStsUnreachable: and failed logon error - STSFailure

We have an Office 365 Single Sign on environment where users were having issues starting outlook. The application would hang on loading profile. Users could not launch outlook, nor create a new profile. Users COULD log in to OWA (Office 365) and authenticate against the ADFS. 

No changes were made to the network on the on-prem nor the Office 365 environment.

We tried the Microsoft Support and Recovery Assistant for Office 365 but this tool is not supported for Single Sign on environments. 

We ran the following tests on https://testconnectivity.microsoft.com:

Single Sign on - Passed

DNS Tests - Passed

Outlook Connectivity Tests - Failed due to Autodiscover failure

Autodiscover - Failed with the following code:

A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown.
HTTP Response Headers:
Retry-After: 30
request-id: 8adf642c-4dac-4a66-972f-5963d53f2381
X-CalculatedBETarget: vi1pr0701mb3005.eurprd07.prod.outlook.com
X-AutoDiscovery-Error: LiveIdBasicAuth:FederatedStsUnreachable:<X-forwarded-for:40.85.91.8><ADFS-Business-682ms>failed logon error - STSFailure - '<s:Fault xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Code><s:Value>s:Sender</s:Value><s:Subcode><s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-GB">An error occurred when verifying security for the message.</s:Text></s:Reason></s:Fault>'<FEDERATED><UserType:Federated>Logon failed "firstname.secondname@our-domain.com".;

 

We confirmed connectivity to ADFS with:

https://sts.our-domain.com/adfs/services/trust/2005/usernamemixed

We were a little stuck at this point so we contacted Microsoft for assistance.

After several hours the problem was part resolved by enabling the Modern Authentication Process.

Reference: 

https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

 

https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910?ui=en-US&rs=en-US&ad=US

 

https://social.technet.microsoft.com/wiki/contents/articles/32711.exchange-online-how-to-enable-your-tenant-for-modern-authentication.aspx

 

https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

 

We still have the Autodiscover errors, but this got the users working. 

 

The fix was to connect to Microsoft Exchange Online via PowerShell and run the follwoing:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$True

 

Update!!:

Issue has now been fully resolved. After much messing around and hours of Microsoft Sernior technicians, I spotted that the TIME on the ADFS server and the time on the ADFS Proxy server were out by 7 minutes. Each machine was on a different physical host.

I configured a tursted time source on each physical host, re-tested the testconnectivity.microsoft.com and the problem was resoved!

The difference in time (+5 minutes) was the cause.

Project Professional Online will not install using Click to Run Deployment Tool

We were unable to install Project Professional Online for Office 365.

We had to re-install using configuration.xml using product id of ProjectProRetail

We used

cscript ospp.vbs /dstatusall

to list the installs and licenses and then removed project licenses using

cscript ospp.vbs /unpkey:<install id>

and then activated using the users login details on o365