Last few weeks I’ve been struggling with an very difficult Office 365 / Exchange Online case, that got escalated to multiple Microsoft departments to be fixed. I already found one part of the solution, but Microsoft found the second part. Today I would like to take you through all the steps to fix possible causes and resolutions. So the initial problem started with the following error in the Office 365 admin portal with the affected users:
Another symptom is the mailbox provisioning gets stuck, and hangs on “We are preparing a mailbox for this user”
You will only see this error with AD connect sync enabled environments. The problem occurs when the on-premise value mismatches with the Online Archive Guid. With just a few easy steps we can fix this issue.
We will need to fill multiple Active Directory user attributes to resolve this issue.
You want to move your mailboxes from Exchange on-premise to Office 365, and you want to give you users a smooth transition experience, then you will definitely need to implement the following to automatically create and configure a new Outlook profile on all Windows devices.
Within Outlook Microsoft has created ZeroConfigExchange to setup new profiles with minimal user interaction. Depending on your exact configuration Outlook will be configured fully automatically, or the user is required to fill in his email address and/or password.
With Azure Conditional access you get more control over your data, get better security and visibility! To use this feature you will need to buy and assign Azure AD Premium or EM+S E3/E5 licenses to your users.
This manual can be used to enforce the use of the Outlook app on IOS and Android devices by blocking all apps that do not support Modern Authentication like iOS mail and Google mail client.
Step 1: In the Azure Portal go to Conditional Access. On the first page that you get create a New policy
If you deployed Intune to your mobile devices, you want to enforce the use of the Outlook app on the mobile device. We want to make the end user experience as smooth as possible and preconfigure Outlook for the. How can we prepare the Outlook app with your company email settings? With just a few steps, we can get this setup!
Step 1: From the Azure Portal go to Intune –> Clients Apps –> App configuration policies and click Add
Step 2: Give the configuration policy a name and description. Select Device Enrollment type, my preferred method is to use Managed apps, because this will deploy the policy to both enrolled and unenrolled devices. Select the Outlook apps on Associated app, and go to Configuration settings.
With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!
Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:
In this manual I will explain step by step how to migrate your users from their personal drive to OneDrive using bulk migration in SharePoint Migration tool. This includes preparing the users OneDrive, granting permissions, and setup SharePoint Migration tool.
Before we begin, we will need a migration station, I would recommend to use a server designed for this purpose. On the migration server make sure you install the following:
Last few weeks I’ve been busy with migrating file servers to SharePoint and OneDrive. For this I’ve used the SharePoint Migration tool from Microsoft. Download: Link With just a few easy steps you are able to migrate your data to SharePoint or OneDrive.
In this manual we will focus on SharePoint only, I will create a OneDrive Manual later on including CSV instruction to perform bulk migrations.
When moving your applications to the cloud, it makes sense to start using Azure Services to get the best service, highest availability (SLA) and worry free maintenance provided by Azure. The next step is to use Azure AD identities with Azure SQL Database.
Within a few steps you will have Azure AD user authentication setup.
Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)
With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.
With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.
So what are we going to setup:
Deploy Azure application gateway
Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
We will redirect port 80 to 443 for both websites
Jira will be listening on port 8080 internally (Default port)
Confluence will be listening on port 8090 internally (Default port)
For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.
Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.
Your admin tenant needs to have a valid Azure subscription
You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
Azure PowerShell module: AZ (Install-Module -Name az)
If you have a ADFS server for your user authentication in Office 365 / Azure AD, and you want to use Pass Through Authentication and/or password Hash Synchronization we will need to change a few things and run a few Powershell commands.
So before we can change the domain to managed, verify if your domain has password sync enabled using the AD connect wizard:
If you have an AD Connect server, you sometimes require a faster sync than the default 30 minutes. This can be done very easily by entering one Powershell command. Open a Powershell window, and load the AD Connect Sync Powershell module:
Once imported, you have 2 options. For a full sync, type the following command:
In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)
First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):
From the Office 365 Admin portal it is possible to deploy Office plugins to users, both specific as all users. With this manual we will deploy a plugin from the store, but you can deploy custom apps as well. The advantage of using plugins from the store is that the plugins get automatically updated, so nothing you have to worry about anymore!
Step 1: Login to the office portal, go to the admin center, and from there go to Settings, Services & add-ins, and Deploy Add-in
Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!
Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!
Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.
You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?
Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:
There are cases where you want or need to uninstall an Office update. Office 365 installations use a different update than the old Office 2013 & 2016 installations. Where the old installations are a point in time installation, click-to-run always downloads the latest version and then runs the setup. You can revert to an older version but its different than in the past where you could just uninstall an KB update.
Step 1: Check build number and find previous build number
If you ever had to restore a domain joined machine, or a laptop/desktop that didn’t connect to the domain in a long time, it might happen that the domain relationship is broken. When you try to logon you get the following error:
“The trust relationship between this workstation and the primary domain failed.”
What you can do is leave the domain, and rejoin the domain, however, it is better to reestablish the trust relationship. Log in on the computer with a local admin account and run in a privileged PowerShell window the below script. After running a reboot should do the trick.
Use the following command to re-establish the trust with the domain:
$domaincontroller = “Name of the domain controller” $credential = Get-Credential
Below are the 2 options to reset or change the immutable ID. These are sometimes required when you want to sync your users, or when you receive a sync error.
Calculate and set immutable ID (Recommended)
This method is the best way to make sure that AD Connect gets a proper sync. We are going to connect to the on-premise AD, and calculate and set the immutable ID in Azure AD / Office 365. So first we connect to Active Directory.
Now, lets grab the GUID of the user and create the ImmutableId
The easy way is to clear the immutable ID in Azure AD/ Office 365. This will let AD Connect think that the account has never been synchronized and will sync it based on a soft match. However I wouldn’t recommend it. But if you ever need to do it, here is the commands to do it.