Lock down Microsoft Team creation (Manual)

By default everyone may create a new team in Microsoft Teams. As an organisation admin you might want to control this, or release it a some point. With this manual you should be able to lock down team creation to users that are member of a Azure AD Security group.

STEP 1: First we will need to install the Preview version of the Azure Active Directory PowerShell module for Graph. Open a PowerShell window with Adminstrator privileges and run the following 2 commands:

Uninstall-Module AzureAD
Install-Module AzureADPreview

STEP 2: Now we will need to connect to Azure-AD to perform the necessary actions. Sign in with an admin account when prompted.

#Connect to AAD
$AzureAdCred = Get-Credential 
Connect-AzureAD -Credential $AzureAdCred

STEP 3: In Azure AD using the Azure portal (https://portal.azure.com), create a new security group.

STEP 4: Enter the name of your security group on the top line, and run the following script.

$GroupName = "Your Security Group Name"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
       $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
     $settingsCopy = $template.CreateDirectorySetting()
     New-AzureADDirectorySetting -DirectorySetting $settingsCopy
     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
 $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
  else {
 $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
 Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
 (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

The result of the script should give you the updated settings. On the last line you should see EnableGroupCreation. If you want to reverse this setting. Just simply change the following line to True and run the entire script:

$AllowGroupCreation = “True”

If you want another security group, rerun the script with the new group name.

Find inactive mailboxes in Exchange Online

So you want to clean up unused (shared) mailboxes in your Exchange (Online) environment. How to find out which mailboxes have been inactive for a long time? The answer is yet simple again, with a cool Power Shell script.

Afbeeldingsresultaat voor exchange mailbox delete"

First we will connect to Exchange Online

$Credential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Continue reading “Find inactive mailboxes in Exchange Online”

Performance enhancement on Azure Premium SSD Disks

Microsoft has announced SSD bursting capabilities. This means that Premium SSD disks can achieve higher peak loads than the maximum IOPS with a new maximum of 3500 IOPS and a bandwidth up to 170 MiB/s. Together with this announcement Microsoft also announced new disk sizes (4, 8 & 16 GiB)


With the new bursting disks you can achieve up to 30 times the provisioned bandwidth, which will give better performance for spiky workloads. Disk bursting is based on a credit system. You will receive bursting credits when traffic is below the provisioned limit. Let me try to explain it using a simple chart.

Continue reading “Performance enhancement on Azure Premium SSD Disks”

Change default email address Office 365 group (Manual)

Office 365 Groups are easy to create. However, changing the primary domain name when creating the group might not be that easy from the GUI. However, with Power Shell you can change this easily.

First we will need to open a Power Shell Window, and connect with Exchange Online.

$Credential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Next, we just need to change the 2 value’s below, and run it. After running, you don’t get a confirmation. It might take up to 30 minutes before changes are visible in all Office 365 and/or Azure portals.

Set-UnifiedGroup –Identity "Group name" –PrimarySmtpAddress primaryaddress@2azure.nl


Credits: Martin van de Giessen

Convert AD domain users to Azure AD users (Manual)

With the move to the cloud there might be a time where you would like to remove the Active Directory link (AD Connect) and go for a cloud only strategy. With a few simple steps you can disconnect the AD connect sync from Azure AD.

When you look in your Office 365 environment you will notice that the sync status has different symbols. One for cloud only, and one for Active Directory. To disable the link, open a PowerShell window and run the following steps.

STEP 1: First make sure that you disable the AD Connect sync service by disabling the service, or set it to staging mode.

STEP 2: Connect to your Microsoft Office 365 environment using the following command, and login to the desired environment:


STEP 3: Now run the following command to disable the sync, confirm your actions, you cannot undo this change!

Continue reading “Convert AD domain users to Azure AD users (Manual)”

In memoriam – Nelleke den Boer

You might have noticed that it’s quiet on 2azure.nl. On the 19th of November my wife got very ill, with unknown brain damage she was hospitalized in the Erasmus University Medical Center. But despite all efforts she passed away on the 6th of December 2019 in the age of 29.

She was my soulmate in everything. Caring for me, for our children, and always interested in other people. Such a lovely wife. You are always in my heart.

Nelleke den Boer – Brouwer | 06-01-1990 – 06-12-2019

Update Exchange Online Global Address List (GAL)

There are situations where you would like to enforce an update of the Exchange Global Address list (GAL) in Office 365. With a few steps this can easily be done!


Exchange Online EXO V2 module, install using: Import-Module -Name ExchangeOnlineManagement

STEP 1: First we will need to make sure that our admin account has the correct permissions. Go to the Exchange Online Admin center, and then to permissions – admin roles and click on the + sign to add a new role

We will now create a new role group. Give it the name Address List Management and assign the role Address lists, and make sure to add the administrator account as a member. Click Save when ready.

Continue reading “Update Exchange Online Global Address List (GAL)”

Office 365 Set language and time zone for all users with PowerShell (Manual)

When you create a new Office 365 tenant, all user mailboxes will have the default timezone and language. In my case, I work in the Netherlands, the preference for most companies is to set the Time zone to Central European Time (GMT +1) and the language of the users default folders to Dutch.

You can either ask the users to logon to webmail using https://outlook.office.com and fill in the first time question to set the time zone and default language. But how cool would it be to do this for all your users using PowerShell?

First time login screen Outlook Web Access
Continue reading “Office 365 Set language and time zone for all users with PowerShell (Manual)”

Azure Risk based conditional access explained and how to set it up!

With the Azure AD Premium P2 license you are entitled for Azure AD Identity Protection. You will get the option in Conditional Access to assign risk level based options to your policies. Azure AD Identity Protection can detect six different types of suspicious sign-in activities with 3 different levels of risks.

Six suspicious sign-in activities and 3 risk levels

With the riks levels combined with conditional access policies we can protect sensitive application and data access. With this article I am going to show you how to create risk-based conditional access policies

So let’s create a Policy and get Conditional Access applied with risk levels

Step 1: Log in to the Azure Portal: https://portal.azure.com

Continue reading “Azure Risk based conditional access explained and how to set it up!”

PowerShell script to export and import legacy Exchange x500 addresses (Manual)

When you’re migrating from one Exchange environment to another, or from on-premise to Exchange online without using the hybrid setup, the most forgotten part is the migration of the users x500 address. The reason why this is so important is because Exchange uses this to deliver local emails instead of the SMTP address that is normally associated with email. (This also goes along for calendar appointments)

So, by not migrating the x500 address it means that communications will fail when changing calendar appointments, or replying on old emails. To prevent this we will need to export the ExchangeLegacyDN from Active Directory, and import it again as a ProxyAddress in Active Directory.

Export the x500 address (ExchangeLegacyDN)

Step 1: From your source Active Directory, look up the distinguishedName, and copy the content of the value.

Continue reading “PowerShell script to export and import legacy Exchange x500 addresses (Manual)”

Improved Azure Portal design

Today I noticed that the Azure Portal had a new appearance. By default the menu from the left is now hidden, giving you a cleaner view of all the blades, and as well on your dashboards.

But what I really like, is the Auto Refresh button on the dashboard. Although 30 minute interval might still be to long, this can help you get the cool dashboards that you want on a big screen.

Enforce (Azure) MFA with Conditional Access policies

Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication

MFA can prevent unauthorized access in case of the following events:

  • Leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activities

Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.

Named location

If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.

Continue reading “Enforce (Azure) MFA with Conditional Access policies”

Exchange Online: Set default calendar sharing permissions for all users

In a new Exchange (Online) environment you might want to change the default calendar sharing permissions for all users. By default the sharing permissions for the entire organization are set to “Can view when I’m busy”.

Some companies have a different wish on the default calendar settings of their users. The preferred setting might be “Limited details”. This will show just the headlines and location of the calendar.

If you try to open an invite, it will notify that you do not have access.

So, what options do we have? From the Outlook app you can see that there are 5 options to choose from. (See screenshot below)

Continue reading “Exchange Online: Set default calendar sharing permissions for all users”

Change default send items behavior of Auto-mapped Shared Mailboxes

A commonly heart end-user frustration with Auto-mapped shared mailboxes is that Send emails from the shared mailbox end up in the send items of the user it self. In the past you would need to set a registry key on the client computer to get this resolved. But with Office 365, there is an easy way to change this behavior for every user.


With PowerShell this job is done in less than a minute in just 2 simple steps.

STEP 1: First connect to Exchange Online using the following commands:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session 

STEP 2: Now run the following command to set the default behavior for all Shared Mailboxes in your Exchange Online environment.

Get-Mailbox | Where {$_.RecipientTypeDetails -eq “SharedMailbox”} | Foreach-Object {Set-Mailbox -identity $_.Alias -MessageCopyForSentAsEnabled $True } 

Azure SQL update statistics (Manual)

I recently run into a case where I needed to update statistics of an Azure SQL Database because of poor performance and deadlocks. Preventing disruptions is key, so it is important to do something about it. With a simple script we can update the statistics easaly.

Why should I update statistics?

SQL Server statistics are essential for the query optimizer to prepare an optimized and cost-effective execution plan. These statistics provide distribution of column values to the query optimizer, and it helps SQL Server to estimate the number of rows. The query optimizer should be updated regularly. Improper statistics might mislead query optimizer to choose costly operators such as index scan over index seek and it might cause high CPU, memory and IO issues in SQL Server. We might also face blocking, deadlocks that eventually causes trouble to the underlying queries, resources.

The script

Just execute the following query on your database and you should be good to go! Keep in mind, depending on your database this might take a while. During this script your database will get slow, but will remain online.


 SELECT table_schema, table_name  
 FROM information_schema.tables
        where TABLE_TYPE = 'BASE TABLE'
 OPEN updatestats

 DECLARE @tableSchema NVARCHAR(128)
 DECLARE @tableName NVARCHAR(128)
 DECLARE @Statement NVARCHAR(300)

 FETCH NEXT FROM updatestats INTO @tableSchema, @tableName

    SET @Statement = 'UPDATE STATISTICS '  + '[' + @tableSchema + ']' + '.' + '[' + @tableName + ']' + '  WITH FULLSCAN'
    EXEC sp_executesql @Statement 
    FETCH NEXT FROM updatestats INTO @tableSchema, @tableName

 CLOSE updatestats
 DEALLOCATE updatestats

How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)

Last few weeks I’ve been struggling with an very difficult Office 365 / Exchange Online case, that got escalated to multiple Microsoft departments to be fixed. I already found one part of the solution, but Microsoft found the second part. Today I would like to take you through all the steps to fix possible causes and resolutions. So the initial problem started with the following error in the Office 365 admin portal with the affected users:

Failed to sync the ArchiveGuid 00000000-0000-0000-0000-000000000000 of mailbox MailboxGuid because one cloud archive CloudArchiveGuid exists.

Another symptom is the mailbox provisioning gets stuck, and hangs on “We are preparing a mailbox for this user”

You will only see this error with AD connect sync enabled environments. The problem occurs when the on-premise value mismatches with the Online Archive Guid. With just a few easy steps we can fix this issue.


We will need to fill multiple Active Directory user attributes to resolve this issue.

Continue reading “How to solve Failed to sync the ArchiveGuid in Office 365 (Manual)”