How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)

Last few weeks I’ve been struggling with an very difficult Office 365 / Exchange Online case, that got escalated to multiple Microsoft departments to be fixed. I already found one part of the solution, but Microsoft found the second part. Today I would like to take you through all the steps to fix possible causes and resolutions. So the initial problem started with the following error in the Office 365 admin portal with the affected users:

Failed to sync the ArchiveGuid 00000000-0000-0000-0000-000000000000 of mailbox MailboxGuid because one cloud archive CloudArchiveGuid exists.

Another symptom is the mailbox provisioning gets stuck, and hangs on “We are preparing a mailbox for this user”

You will only see this error with AD connect sync enabled environments. The problem occurs when the on-premise value mismatches with the Online Archive Guid. With just a few easy steps we can fix this issue.

Resolution

We will need to fill multiple Active Directory user attributes to resolve this issue.

Continue reading “How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)”

Create new Outlook profile after Office 365 mail migration using GPO (Manual)

You want to move your mailboxes from Exchange on-premise to Office 365, and you want to give you users a smooth transition experience, then you will definitely need to implement the following to automatically create and configure a new Outlook profile on all Windows devices.

ZeroConfigExchange (ZCE)

Within Outlook Microsoft has created ZeroConfigExchange to setup new profiles with minimal user interaction. Depending on your exact configuration Outlook will be configured fully automatically, or the user is required to fill in his email address and/or password.

Continue reading “Create new Outlook profile after Office 365 mail migration using GPO (Manual)”

How to block non-modern authentication to Office 365 services. (Manual)

With Azure Conditional access you get more control over your data, get better security and visibility! To use this feature you will need to buy and assign Azure AD Premium or EM+S E3/E5 licenses to your users.

This manual can be used to enforce the use of the Outlook app on IOS and Android devices by blocking all apps that do not support Modern Authentication like iOS mail and Google mail client.

Step 1: In the Azure Portal go to Conditional Access. On the first page that you get create a New policy

Continue reading “How to block non-modern authentication to Office 365 services. (Manual)”

How to configure Outlook on IOS & Android using Intune (Manual)

If you deployed Intune to your mobile devices, you want to enforce the use of the Outlook app on the mobile device. We want to make the end user experience as smooth as possible and preconfigure Outlook for the. How can we prepare the Outlook app with your company email settings? With just a few steps, we can get this setup!

Step 1: From the Azure Portal go to Intune –> Clients Apps –> App configuration policies and click Add

Step 2: Give the configuration policy a name and description. Select Device Enrollment type, my preferred method is to use Managed apps, because this will deploy the policy to both enrolled and unenrolled devices. Select the Outlook apps on Associated app, and go to Configuration settings.

Continue reading “How to configure Outlook on IOS & Android using Intune (Manual)”

Create a drive mapping using Intune on Azure AD joined devices (Manual)

With the transition to Azure AD, you might want to connect your AAD joined devices to the traditional file server as explained in this article: Go Azure AD Joined with on-prem DC and fileserver The next step is to map some network drives with Intune!

Step 1: The first step is to create a PowerShell script that will do the actual drive mappings. This script will be placed on a Azure Blob storage (or your internal domain) where you will be able to manage and maintain the script. This script will be run using a second script that we will deploy with Intune. For your convenience I’ve already prepared the script:

Continue reading “Create a drive mapping using Intune on Azure AD joined devices (Manual)”

Bulk migrate to OneDrive from personal drive with SharePoint Migration Tool (Manual)

In this manual I will explain step by step how to migrate your users from their personal drive to OneDrive using bulk migration in SharePoint Migration tool. This includes preparing the users OneDrive, granting permissions, and setup SharePoint Migration tool.

Image

Prerequisites

Before we begin, we will need a migration station, I would recommend to use a server designed for this purpose. On the migration server make sure you install the following:

Continue reading “Bulk migrate to OneDrive from personal drive with SharePoint Migration Tool (Manual)”

How to use SharePoint Migration Tool

Last few weeks I’ve been busy with migrating file servers to SharePoint and OneDrive. For this I’ve used the SharePoint Migration tool from Microsoft. Download: Link
With just a few easy steps you are able to migrate your data to SharePoint or OneDrive.

In this manual we will focus on SharePoint only, I will create a OneDrive Manual later on including CSV instruction to perform bulk migrations.

Continue reading “How to use SharePoint Migration Tool”

Azure SQL configure Azure AD user authentication (Manual)

When moving your applications to the cloud, it makes sense to start using Azure Services to get the best service, highest availability (SLA) and worry free maintenance provided by Azure. The next step is to use Azure AD identities with Azure SQL Database.

Schematic overview of Azure SQL with AAD integration, and optionally synced from on-premise AD.

Within a few steps you will have Azure AD user authentication setup.

Continue reading “Azure SQL configure Azure AD user authentication (Manual)”

Deploy Azure Application Gateway with http to https redirect

Azure Application Gateway is an advance type of load-balancer. Where an Azure Load-balancer routes traffic on the transport layer (OSI Layer 4 | TCP + UDP) the Application Gateway is a way more advanced load-balancer. It can route based on URL as well on path’s. On top of that it can do much more, like SSL offloading, autoscaling, redirection, multiple site hosting and the most import of all, it can include a web application firewall (WAF)

Afbeeldingsresultaat voor azure application gateway

With all the features that the Azure application gateway provides, we should be able to setup multiple websites listening on different ports and url’s behind one Azure Application Gateway with just one external IP address.

With this guide you should be able to setup an application gateway with multiple site hostname match and http to https redirect. In this manual we will be using Atlassian Jira and Confluence as an example.

So what are we going to setup:

  • Deploy Azure application gateway
  • Configure 2 external URL’s (jira.2azure.nl and confluence.2azure.nl)
  • We will redirect port 80 to 443 for both websites
  • Jira will be listening on port 8080 internally (Default port)
  • Confluence will be listening on port 8090 internally (Default port)

For this guide the VNET, subnets and the virtual machine hosting both websites have already been deployed. During this guide we will not deploy a Web Application Firewall, I will tell more about that in upcoming blog article.

The setup in an overview.
Continue reading “Deploy Azure Application Gateway with http to https redirect”

How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.

Requirements:

  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)
Continue reading “How to setup Azure Lighthouse (Manual)”

AD Connect Force synchronization

If you have an AD Connect server, you sometimes require a faster sync than the default 30 minutes. This can be done very easily by entering one Powershell command. Open a Powershell window, and load the AD Connect Sync Powershell module:

Import-Module ADSync

Once imported, you have 2 options. For a full sync, type the following command:

Start-ADSyncSyncCycle -PolicyType Initial

For just syncing the changes, type the following:

Start-ADSyncSyncCycle -PolicyType Delta

Reset Azure AD User password with a predefined password

In the Azure portal you can reset the password of a user, but this is always a temporary password. But PowerShell to the resque again, lets set the password in Azure AD with PowerShell with a predefined password! On your Windows device open a PowerShell prompt and connect to Azure AD. (Click here if you don’t know how to)

First we need to get the object ID from the user where we want the password to be reset. Run the following command (replace emailadres):

Get-AzureADUser -filter "userPrincipalName eq 'username@2azure.nl'"

Copy the ObjectId from the user where you want to have the password reset. And run the following commands (replace the password text for the new password):

$password = ConvertTo-SecureString 'Please enter the new password' -AsPlainText -Force

Set-AzureADUserPassword -ObjectId  "a8d5e982-6c3d-406e-a533-a21b275e3d37" -Password $password

Deploy Office 365 plugins using the Admin Portal

From the Office 365 Admin portal it is possible to deploy Office plugins to users, both specific as all users. With this manual we will deploy a plugin from the store, but you can deploy custom apps as well. The advantage of using plugins from the store is that the plugins get automatically updated, so nothing you have to worry about anymore!

Step 1: Login to the office portal, go to the admin center, and from there go to Settings, Services & add-ins, and Deploy Add-in

Continue reading “Deploy Office 365 plugins using the Admin Portal”

How to deploy Azure Active Directory Domain Services (AD DS)

Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!

Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!

Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.

Continue reading “How to deploy Azure Active Directory Domain Services (AD DS)”

How to deploy Azure File Sync

You still have your old network drives? Still need to setup a VPN to access your file shares? Or have you migrated all your files to Azure file share but you need a higher performance for your Autocad files?

High level overview of Azure File Share Sync

Wait no longer, Azure File Sync to the rescue! Where you would have your Azure File Share for sharing files, you can use Azure File Sync to make a local cache of your Azure files, or sync your local file server to Azure Files. In this manual we will help you setup Azure File Sync with a existing Azure File Share. I already have a Azure File Share, mapped as a network drive Z:

Azure File Share mapped as the Z: Drive
Continue reading “How to deploy Azure File Sync”

Uninstall Office 365 Click-To-Run Updates

There are cases where you want or need to uninstall an Office update. Office 365 installations use a different update than the old Office 2013 & 2016 installations. Where the old installations are a point in time installation, click-to-run always downloads the latest version and then runs the setup. You can revert to an older version but its different than in the past where you could just uninstall an KB update.

Steps

Step 1: Check build number and find previous build number

In one of your office programs go to the options menu and go to Office Account. Find your current and previous version on the Microsoft website: Update history Office365 ProPlus by date

Continue reading “Uninstall Office 365 Click-To-Run Updates”

Re-establish trust with Active Directory domain

If you ever had to restore a domain joined machine, or a laptop/desktop that didn’t connect to the domain in a long time, it might happen that the domain relationship is broken. When you try to logon you get the following error:

“The trust relationship between this workstation and the primary domain failed.”

What you can do is leave the domain, and rejoin the domain, however, it is better to reestablish the trust relationship. Log in on the computer with a local admin account and run in a privileged PowerShell window the below script. After running a reboot should do the trick.

Use the following command to re-establish the trust with the domain:

$domaincontroller = “Name of the domain controller”
$credential = Get-Credential

Reset-ComputerMachinePassword -Credential $cred -Server $domaincontroller

Set or clear immutable ID

Below are the 2 options to reset or change the immutable ID. These are sometimes required when you want to sync your users, or when you receive a sync error.

Calculate and set immutable ID (Recommended)

This method is the best way to make sure that AD Connect gets a proper sync. We are going to connect to the on-premise AD, and calculate and set the immutable ID in Azure AD / Office 365. So first we connect to Active Directory.

Import-Module ActiveDirectory

Now, lets grab the GUID of the user and create the ImmutableId

$userUPN = "testuser@2azure.nl" 
$guid = [guid]((Get-ADUser -LdapFilter "(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())

Now connect to Office 365:

Connect-MsolService 

The last command will be used to write the ImmutableId to the AAD / Office 365 user:

Get-MsolUser -UserPrincipalName $userUPN | Set-MsolUser -ImmutableId $immutableId

Clear immutable ID in Office 365 (Not advised)

The easy way is to clear the immutable ID in Azure AD/ Office 365. This will let AD Connect think that the account has never been synchronized and will sync it based on a soft match. However I wouldn’t recommend it. But if you ever need to do it, here is the commands to do it.

Clear ImmutableId for only 1 user:

Get-MsolUser -UserPrincipalName testuser@2azure.nl | Set-MsolUser -ImmutableId $null

Clear ImmutableId for all users:

Get-MsolUser -All | Set-MsolUser -ImmutableId $null