The Microsoft Online Services Module allows you manage your tenant directly and in some cases change settings you can’t change in GUI (note this can only be achieved if you’re managing accounts that have been created in the tenant e.g. not created using Dirsync/ADFS). To access Remote PowerShell to the Service Portal you will need to install the following prerequisites:-
Download the Microsoft Online Services Module
The Microsoft Online Services Module for Windows PowerShell is a download that comes with Office 365. This tool installs a set of cmdlets to Windows PowerShell (you run those cmdlets to set up single sign-on for Office 365).
In this case i want stop user(s) from being prompted to change their password. In order to do this you can run the Microsoft Online Services Module from the shortcut menu and connect to your Office 365 Tenant by running the following commands:-
You will need to enter your tenant credentials, once you have done this you can check what the current settings are by running
Note that PasswordNeverExpires is set to false, you can then change the setting for either that individual user or all users
Run the this command again to ensure that the settings have taken effect and that PasswordNeverExpires is set to True
Also if you don’t want the user t be prompted when they login you can run the following command
If you want to know a list of commands run
This is the output (so as you can see its a pretty powerful tool, for example you can automate the provisioning of licenses for example):-
Add-MsolGroupMember
Add-MsolRoleMember
Confirm-MsolDomain
Connect-MsolService
Convert-MsolDomainToFederated
Convert-MsolDomainToStandard
Convert-MsolFederatedUser
Get-MsolAccountSku
Get-MsolCompanyInformation
Get-MsolContact
Get-MsolDomain
Get-MsolDomainFederationSett.
Get-MsolDomainVerificationDns
Get-MsolFederationProperty
Get-MsolGroup
Get-MsolGroupMember
Get-MsolPartnerContract
Get-MsolPartnerInformation
Get-MsolRole
Get-MsolRoleMember
Get-MsolSubscription
Get-MsolUser
Get-MsolUserRole
New-MsolDomain
New-MsolFederatedDomain
New-MsolGroup
New-MsolLicenseOptions
New-MsolUser
Remove-MsolContact
Remove-MsolDomain
Remove-MsolFederatedDomain
Remove-MsolGroup
Remove-MsolGroupMember
Remove-MsolRoleMember
Remove-MsolUser
Set-MsolADFSContext
Set-MsolCompanyContactInform.
Set-MsolCompanySettings
Set-MsolDirSyncEnabled
Set-MsolDomain
Set-MsolDomainAuthentication
Set-MsolDomainFederationSett.
Set-MsolGroup
Set-MsolPartnerInformation
Set-MsolUser
Set-MsolUserLicense
Set-MsolUserPassword
Set-MsolUserPrincipalName
Update-MsolFederatedDomain
Written by Daniel Kenyon-Smith
Steps
Action
The first step is understand the different types of retention policies you can apply and plan appropriately
See http://help.outlook.com/en-us/beta/gg271153.aspx for more details on retention policies.
First create Retention Tags
Create retention tags under the online tenant (for mailboxes that have been migrated to O365), under ‘Organisation configuration’ and ‘Mailbox’, the select the ‘Retention Policy Tags’ tab and create a new retention tag based on the setting you planned for in the previous step e.g.
This tag will apply to all folders and is therefore an default policy tag
In this example I also created a personal tag
This tag applies to personal folders or individual items that the user can select e.g. emails
Create a retention policy and assign the retention tags to the policy
In the online EMC click ‘Retention Policies’ tab and create a new retention policy and assign the retention tags to the policy
Assign a mailbox to the policy
Process the retention policy immediately if required
Run the following command
Start-ManagedFolderAssistant -Identity "Mailbox added the previous step" (using remote PowerShell)
Check the retention policy is applying to the user
Get-mailbox "Mailbox added the previous step" | fl ret* (using remote PowerShell)
Login to the users mailbox to see if the retention polices have applied and are available (this will depend on the retention policy types you have created)
Login to a user’s mailbox that has the retention policies assigned and notice the available policies in the ‘Home’ ribbon in Outlook 2010. The ‘Use Folder Policy’ is the default policy tag we created called ‘Move To Archive’ and is applied to all folders. The 14 days/2weeks policy is the ‘Custom – Move To Archive’ retention tag we created earlier, this is applies to ‘Personal folders’ and is therefore a personal tag, which users can apply to custom folders and individual items e.g. emails
Apply the personal tag to an individual item
Login to the portal
Sign into https://portal.microsoftonline.com as the tenant administrator
Add the user to the Discovery Management Role
Select ‘Manage’ Under Exchange Online
Select ‘Roles and Auditing’ and select the ‘Discovery management Role’ and details to add a user to the Discovery Management role group
Add the relevant user
NOTE: This user will have access to search information within a user’s mailbox
Note the new membership
Perform a new search and estimate the search results first
When I login to the portal with the assigned user we specified above I see the ‘Discovery’ tab under ‘Mail Control’.
When I click on new search I need to specify what the search criteria is, such as keywords, mailbox to search and you can also estimate the search results before you run an actual search
Note: If no results are returned you can go back into details and redefine your search
Perform a search and select ‘copy search results’
Select details again
You can now save the search results to a destination mailbox (Discovery Search Mailbox)
Note the number of items found, click open to see the search results
Select ‘Open’ to open the discovery mailbox and view the search results
View the search results
Configure the ‘Office 365 Tenant’ Organization Relationship
Get-OrganizationRelationship "Office 365 Tenant" | fl
Run - Set-OrganizationRelationship "Office 365 Tenant" -ArchiveAccessEnabled $true
Start a remote PowerShell session
Run
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session –AllowClobber
Configure the ‘On Prem’ Organization Relationship
Run - Get-OrganizationRelationship "On Prem" | fl
Then enable ArchivedAccessEnabled attribute by running - Run - Set-OrganizationRelationship "On Prem" -ArchiveAccessEnabled $true
Enable user archive
In EMC select the mailbox you want to enable, right click and select ‘Enabled Hosted Archive’
Select Yes to enable hosted archive message ‘The archive will created in the online tenant specified. An archive will be created for ‘MAILBOXNAME’. Would you like to proceed?’
Note the icon changes for the mailbox when the archive is enabled
Login to the user mailbox
Ensure the archive appears in the users profile (either Outlook 2010 or OWA)
Enable on-premise Mailtips
Set-OrganizationRelationship -id "Office 365 Tenant" -MailTipsAccessEnabled $True -MailTipsAccessLevel all
Enable Office 365 Mailtips
Set-OrganizationRelationship -id "On-Prem" -MailTipsAccessEnabled $True -MailTipsAccessLevel all
Actions
Enable move mailboxes for the organization relationship
Run Set-OrganizationRelationship -id "Office 365 Tenant" -MailboxMoveEnabled $True
Note:
The MailboxMoveEnabled parameter specifies that the organization relationship is used to provide the credentials for moving mailboxes to Office 365. If you don’t set this parameter you are required to provide admin credentials for the remote move.
Access the Mailbox Replication Service Proxy (MRSProxy) service config file
By default MRSProxy is disabled and must be enabled to help facilitate cross forest moves. On the Client Access Server browse to
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\ews\web.config
Enable the MRSProxy setting on all CAS’
Locate ‘Mailbox Replication Proxy Service configuration’ in the web.config file and enable ‘ISEnabled’ by setting to true
Enable free/busy calendar sharing on-premise
Set-SharingPolicy ‘Default Sharing Policy’ –domains ‘*: CalendarSharingFreeBusySImple’, ‘Company.com:CalendarSharingFreeBusyReviewer, ContactsSharing’, ‘Company.onmicrosoft.com:CalendarSharingFreeBusyReviewer, ContactsSharing’, ‘Office365.Company.com:CalendarSharingFreeBusyReviewer, ContactsSharing’
Confirm the settings have been applied in the EMC, under Organisational configuration, Mailbox, Sharing Policies
Enable free/busy calendar sharing for Office 365
Open a remote PowerShell session by running the following commands and set the sharing policy
$liveCred = Get-Credential
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred –Authentication Basic -AllowRedirection
Set-SharingPolicy ‘Default Sharing Policy’ –Domains ‘*: CalendarSharingFreeBusySimple’, ‘Company.com:CalendarSharingFreeBusyReviewer, ContactsSharing’, ‘Company.onmicrosoft.com:CalendarSharingFreeBusyReviewer, ContactsSharing’
Add the online tenant to the on-premise EMC
In the on-premises EMC right click ‘Microsoft Exchange’ and select add forest
In the drop down list specify ‘Exchange Online’ as the external exchange forest and specify your Office 365 administrator credentials if prompted
Verify Exchange Online is added to the you on-premise EMC