Upgrade to Azure Active Directory Premium

Recently I was working with a customer who wanted to move from Exchange 2010 on-premises to Exchange Online. This customer had a lot of Mac clients (both internally and externally). Since Mac clients are not a member of the Active Directory domain I asked how these users changed their Domain password. “Using OWA” was the answer, which makes sense.

This poses a problem in Office 365, since the change password feature is not available in Exchange Online (nor in Exchange 2013/2016 on premises BTW). I have to admit, you can change a password in the Microsoft Online Portal, but this only works when using Cloud Identities, and not when you’re synchronizing user account with their password from an on-premises Active Directory.

One nice feature in Office 365, or more specifically in Azure Active Directory is the option to implement Password writeback. This way users can change their password in Office 365, and the new password will be synchronized to your on-premises Active Directory. This is not only very interesting for customers using Mac clients, but also for customer that have (a lot of) users working remotely, without direct access to on-premises Active Directory.

Activating password writeback consists of two steps:

  • Implementing self-service password reset in Office 365.
  • Implementing password writeback.

To enable the self-service password reset functionality you need an Azure AD Basic or Azure AD Premium subscription. An overview of Azure AD options is available on the Azure Active Directory Pricing page. Continue reading Upgrade to Azure Active Directory Premium

Upgrade Azure Active Directory Synchronization to AADConnect

The Microsoft Directory Synchronization has been available in a variety of versions and names:

  • DirSync (the original).
  • Azure Active Directory Sync (AADSync).
  • Azure Active Directory Connect (AADConnect).

Each version of the tool had a number of releases, for the original DirSync for example there were 14 different releases as can be seen here. Similar information for AADSync (5 releases) can be found here, and for AADConnect (12 releases) you can find it here.

In my test environment (Exchange hybrid) I’m currently running AADSync 1.0.491.413. Since the current (as of March 2016) version is AADConnect 1.1.110.0 it’s time to upgrade J

When upgrading from a previous version there are two options:

  • In-place upgrade – this is the recommended way if the upgrade time takes less than three hours.
  • Parallel upgrade – This is the recommended way if the upgrade time takes more than three hours.

Why three hours? The Directory Synchronization runs every three hours. It is also estimated that if you have more than 50,000 objects to synchronize, the upgrade will take more than 3 hours.

Continue reading Upgrade Azure Active Directory Synchronization to AADConnect

Delegated Mailbox Permissions cross-premises

This is one of the most requested features in an Exchange hybrid scenario (i.e. Exchange Online combined with Exchange on-premises) and as of early February 2016 it is finally officially supported: Cross premises Full Access Permissions.

This means that if you have a manager’s Mailbox on-premises, and an assistant Mailbox in Exchange Online, the assistant can open the manager’s Mailbox. This works both ways, so if the manager’s Mailbox is in Exchange Online and the assistant’s Mailbox is in Exchange on-premises the results are the same.

There are some caveats however:

  • This only works when Full Access permissions are granted, and this is achieved using the Exchange Admin Center or Exchange Management Shell in Exchange Online.
  • Send-As, Receive-As and Send-on-behalf-of permissions are not supported cross-premises.
  • Your Outlook 2013 should be patched with at least the November 2015 update.
  • The first time users open a Mailbox in the other organization they might see a credentials pop-up

The people picker in in the EAC in Exchange Online supports adding Mail-Enabled Users (MEU) and regular Mailboxes, so you can use EAC in Exchange Online to add cross-premises permissions. The EAC in Exchange 2013/2016 on-premises only supports adding Mailboxes, so the online version of EAC need to be used.

More information can be found on the following Microsoft articles:

Exchange 2013 Cumulative Update 11 – Install it or not?

On December 15, 2015 Microsoft has released Cumulative Update 11 (CU11) for Exchange Server 2013. Okay, I’m a little late with this one, but I wanted to wait some time to see what would happen with this CU….

Note. You can download Exchange 2013 CU11 at https://www.microsoft.com/en-us/download/details.aspx?id=50366, the accompanying UM Language Pack files can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=50365 and this is the office Microsoft announcement: https://support.microsoft.com/en-us/kb/3099522. But please, read on before starting to download and install Exchange 2013 CU11.

Now, about this CU….. Microsoft introduced a new feature in CU11 called Mailbox Anchoring. This means that an Exchange Management Shell will no longer connect to the Exchange 2013 server you’re logged on to, but it will be proxied to the Exchange server hosting your current Mailbox. This can be challenging in a mixed environment.

Continue reading Exchange 2013 Cumulative Update 11 – Install it or not?