When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365. In the burgeoning drafts folder ADFS was at the top, so that got finished first!
The act of deploying and configuring ADFS 2012 R2 for Office 365 will be broken down into three separate blog posts
The IT security landscape keeps evolving. One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims. Claims based authentication is an industry standard security protocol to authenticate users. This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens. Claims based auth requires these tokens, and by extension an entity that can issue the token. This is the Secure Token Service (STS). The STS server can be based on Active Directory Federation Services (ADFS) or other platforms that provide this service.
ADFS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:
ADFS is the primary choice for customers who want to use federated identities with Office 365. In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation. The shortcut URL aka.ms/SSOProviders links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365. Please read the notes on the TechNet page with regards to the testing and support aspects of these services.
Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed ADFS implementation. The availability of ADFS is a key discussion point when discussing federation. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.
In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO). DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords. DirSync can be downloaded here, and the TechNet Wiki has details on the release history. When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:
This is worthwhile to mention as there is still a perception that ADFS is a hard requirement to get SSO. That is soooooooooooo Q1 2013!
Anyway, I digress let’s get back to ADFS…..
We shall look at installing ADFS 2012 R2 since there are numerous compelling features in this release!
The quick answer is a lot! Some examples include:
There are many others, but check here for them since we are focussing on Office 365 usage for ADFS.
Note that you will not see me call this release ADFS 3.0. Its full and proper name is ADFS 2012 R2. for reference here are the older versions and what some folks call them:
Update 5-5-2014: Please also see this post on exploring ADFS 2012 R2 Extranet Lockout protection.
Update 29-5-2014: Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.
Update 9-9-2014: For the other posts on ADFS, please view this tag cloud.
The prerequisites are listed on TechNet. Of course before jumping into the install the installation needs to be planned.
The ADFS role should be deployed within the corporate network, and not in the DMZ. The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.
Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant ADFS proxy infrastructure.
Please review the design guidance on TechNet.
We can now use a standard service account or a Group Managed Service Account in ADFS 2012 R2.
In this case since the KDS root key was not configured, lets leverage a standard service account.
The installation process should set the required Service Principal Names (SPN) on the account.
Select what name you are to use to access ADFS. Typically this is along the lines of:
sts.wingtiptoys.ca adfs.tailspintoys.ca
sts.wingtiptoys.ca
adfs.tailspintoys.ca
Note that this is the namespace for the ADFS service. Since we will be using Kerberos to access ADFS internally, there must be a Service Principle Name (SPN) registered for this name. This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the ADFS server by naming the computer the same as the ADFS namespace.
You also want to discuss what display name should be chosen, as this will be visible to users.
Since ADFS leverages SSL, we need to have a SSL certificate. You could try three options, but only one will work:
Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA. Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears. We can use self-signed certificates for the Token Decrypting and Token Signing Certificate. These are separate from the service communication cert.
Please follow the documentation from your chosen CA to request, install and complete the certificate. The steps required vary from vendor to vendor and also over time. Make sure you are not missing any updated intermediate certificates! How would you know? Follow their process!!
For the purposes of this post we shall deploy the initial ADFS server, and in the future add another ADFS server for redundancy.
After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.
We don’t need to add any additional features. Remember that the IIS dependency was removed in ADFS 2012 R2.
Clicking next takes us to the ADFS splash screen. Note that it helpfully tells us that the specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about installing it. Shame I missed that the very first time I ran this, and could not find the old school ADFS Proxy role…
Clicking next will then install the necessary bits.
Bits are being shuffled around…
Shuffling has been completed, and the installation is complete. You can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.
Before starting the ADFS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.
Additionally a service account called ADFS-Service was also pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new ADFS farm or add this box to an existing farm. This saves the painful issue from older ADFS builds, where ADFS was not installed into a farm you were then unable to easily the add the second ADFS server for redundancy.
Provide your domain admin credentials.
We need to select the SSL certificate that we will use and also provide the ADFS name we selected in the design process.
In this case the name is adfs.tailspintoys.ca -- note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!
Provide your chosen display name, and click next.
As mentioned earlier it is possible to use a GMSA as the ADFS service account. GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.
In this case a standard service account was used.
Select the database configuration as per the design.
The Tailspintoys corporation will use WID.
Review the options, and when happy pull the trigger!
For reference the PowerShell script is shown here:
# # Windows PowerShell script for AD FS Deployment # Import-Module ADFS # Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account." Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
# Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
The ADFS pre-requisite checks are done, and we can proceed to the configuration:
One coffee later, we have a shiny new ADFS server – whoo!!
We are not quite done yet, and there a couple of additional things to do!
Update 11-12-2014: The above update 2948086 is now bundled in this rollup: May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
Update 16-7-2014: Other updates you may want to review are at the bottom of this post.
When multiple clients (over 200 clients) try to sign in by using an Active Directory Federation Services (AD FS) proxy, the AD FS proxy consumes 100% usage of the CPU. In this situation, the AD FS proxy performance is slow, and causes a delay that exceeds 10seconds. This also causes STS to work under minimal load. Therefore, STS rejects the requests or serves only 5 to 10 requests per second.
We must create the DNS record for the ADFS instance. This maps to the ADFS namespace that we previously planned. Create this A record in your internal DNS infrastructure.
Once the DNS record has been created an propagated ensure that it resolves correctly.
One thing to mention here, if you create a CNAME and point that to the server hosting ADFS chances are that you will run into a never ending authentication prompt situation.
In the below example the ADFS namespace is called adfs.tailspintoys.ca and a CNAME was used to direct traffic to the ADFS server called tail-ca-sts.tailspintoys.ca. This will likely cause the client to obtain a Kerberos ticket for the incorrect name.
The easiest way to stop this is to use a regular A record, like so:
There is also an option contained in KB 911149 that some folks have mentioned.
This topic covers additional steps to configure AD FS after you install the first federation server, including:
For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.
Open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
This will be something like the below, just change the FQDN to match your environment.
https://adfs.tailspintoys.ca/federationmetadata/2007-06/federationmetadata.xml
https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml
The result should show this:
Browse to the ADFS sign-in page and test that you are able to authenticate.
The URL will be similar to the below, again change the FQDN to match your organisation’s.
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
You should see the below, and be prompted to sign in:
Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.
If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, https://adfs.tailspintoys.ca) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.
Once we are happy that the ADFS instance is functioning appropriately we can then move onto installing the ADFS proxy role.
This will be covered in a separate post, to prevent this one getting too long!
Cheers,
Rhoderick
In part one we installed the ADFS server on our corporate network, and tested that it was working.
Now we need to make the ADFS infrastructure available to the Internet in a secure fashion, so that Office 365 will be able to contact the ADFS proxy to authenticate user requests.
In part three we will add the ADFS infrastructure to the Office 365 configuration,
In this installation, the ADFS proxy server will be placed into the DMZ, and installed as a workgroup machine since the Tailspintoys organisation does not possess a separate management forest in the DMZ. Ensure the machine is built as per your standard build process, is secured and all Microsoft updates are installed.
You will want to install the April 2014 Windows 2012 R2 update to light up additional pieces of ADFS functionality, but we will save that for a later blog post. If you do want to take a peek at this now, the PFE Platform folks are rocking it over here – please subscribe to their RSS feed too!
As discussed in part one, you will need a certificate from a trusted third party. Ensure that you check with the CA to ensure that you are able to install the certificate onto multiple servers as this is blocked in some license agreements. This is something that you must check directly with the CA.
If you are allowed to install the certificate from the ADFS server, then this simplifies matters else you will require an additional certificate. The name must match the ADFS namespace that you selected through the ADFS design process.
Since the ADFS server will be in a network that may not have access to the internal DNS zone information, ensure that it is able to resolve the ADFS namespace to the internal ADFS server. A swift update to the local hosts file may suffice, just remember to add this to your build documentation.
Create external DNS record for the ADFS proxy server. This A record will exist in the external DNS zone of you are using split DNS. In the Tailspintoys enterprise (cough, cough this lab) the internal DNS zone is held on AD integrated DNS zones. The external zone is at a commercial ISP, so the external DNS record was created at the commercial ISP so it resolves to the external IP of the ADFS proxy when I am at Starbucks.
Having the external DNS record point to the ADFS server’s external IP address will not allow traffic to flow unless the firewalls are configured to do so. In enterprises the ADFS proxy server will be installed into a DM so there will be an internal and external firewall. Both must be opened to allow SSL traffic over TCP port 443. In addition to this the ADFS server will also need access to the CRL distribution points on the Internet to verify certificate validity.
Exchange administrators should be used to this now as they have see Exchange updates take a long time to install on Exchange servers do not have access to crl.microsoft.com. In the case of ADFS, the server should be able to hit the CRL of external CAs.
Let’s fire up the Add Roles Wizard from server manager!
As noted in the previous post, there is no longer a separate ADFS proxy role in Windows 2012 R2. The Remote Access feature provides VPN, Direct Access and Web Application Proxy (WAP) functionality. It is the latter that we need to install.
Select Remote Access and let’s go find the droids we are looking for…
Unless you want to add any features, like telnet * for troubleshooting purposes later, click next.
The Remote Access role selection process starts. Unlike in days of old when installing a feature would install all of the bits, and by extension potential vulnerabilities, Windows now wants to only install the bare minimum. This is a paradigm shift compared to the early days of IIS where it would install everything and then you have to spend time stripping stuff back out. Index extension attack anyone?
In our case we just want to install the Web Application Proxy role service, so select that and click next
Confirm the choice, and then install.
Once the necessary WAP role services are installed, we are then able to launch the Web Application Proxy Wizard to configure WAP.
We need to configure the WAP proxy with the necessary information so that it knows it will be publishing our internal ADFS server and how to access ADFS.
On the screen below is where most configuration issues arise with this process. What a lot of folks do is interpret the Federation service name as the display name of the ADFS server. That will not get you very far unfortunately…
The federation service name field does NOT want you to enter the display name of the ADFS server farm. The display name in the previous example was “Tailspintoys STS”. and this can been checked by looking in the ADFS console
If you look closely at the ADFS properties, the federation service name is actually the FQDN of the service. In our case this is adfs.tailspintoys.ca so let’s enter that along with credentials on the ADFS server so we are able to access ADFS.
In the same way that we require a SSL certificate on the ADFS server, the same is true on the ADFS proxy as clients will establish SSL sessions to this machine which will then be bridged to the internal ADFS server.
Since the certificate was installed and verified as part of the preparatory work, we select it and move on.
Verify the details, and click configure.
The wizard starts to configure the ADFS proxy
And shortly thereafter completes!
At this time we should have a functional ADFS proxy server that is able to provide internet based users with access to our ADFS server’s authentication services. But as always, we need to test!
To open up the Remote Access management console, use the Remote Access Management shortcut in administrative tools.
If you have immediately launched this after installing the ADFS proxy it may take a few seconds or a refresh to show up. The other top tip is not to look for a published web app. Remember that WAP can be used to publish various applications to the internet, but in this case we are just wanting to use the base ADFS proxy components.
To check that the ADFS proxy is running, click onto the Operational Status in the left hand tree
Selecting the operational status, will then show how the ADFS proxy is currently running. You can also jump to Perfmon or Event Viewer from this node.
Should the ADFS proxy have an issue the console will light up like a Christmas tree. In this case I deliberately stopped the “Active Directory Federation Services” service on the ADFS proxy, please click to enlarge the image:
And as expected with the ADFS proxy crippled users will not be able to authenticate, even if they try an alternative browser!
Even though the Windows service is name the same on both the ADFS server and the ADFS proxy, note that the executable path is different:
In event viewer on the ADFS proxy, open up the application and services logs and check that the proxy is able to retrieve it’s configuration from the ADFS server. This can be seen here, click to enlarge:
With the full event details shown here:
Using the same URL as before, open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
The intent here is to ensure that we are able to get to the site externally. If you are not able to see the ADFS text rendered in the browser, start with ensuring that the firewalls are not dropping traffic.
(Note that I did not full screen the window before grabbing capture else it would be too small)
Clicking the Sign In button will prompt for credentials:
If you successfully authenticate then you will be rewarded with this stellar screen:
And if are unable to type a password (like me doing demos) then you will get this less than stellar result:
In part three we will finish this off, and instruct Office 365 to leverage the shiny ADFS infrastructure to authenticate users.
* – Not having telnet client by default always grates. In the same way that explorer file options are always set to hide the good stuff like file extensions, system files and the ilk.
Well then, here we are in part three already! Previously we:
Installed ADFS 2012 R2 For Office 365 in part 1 Installed ADFS 2012 R2 Proxy For Office 365 in Part 2
Installed ADFS 2012 R2 For Office 365 in part 1
Installed ADFS 2012 R2 Proxy For Office 365 in Part 2
Now we want to change the Office 365 domain to be a federated domain. As discussed in part 1, this means that all of the users who authenticate using this domain will become a federated identity and the on-premises ADFS server is responsible for authenticating these requests.
Update 20-8-2014: Added comment for SupportMultipleDomain switch for the Convert-MSOLDomainToFederated cmdlet.
Before we discuss the integration of Office with the on-premises ADFS infrastructure, let’s just again be clear on the criticality of ensuring that ADFS is available when the Office 365 domain is set to use ADFS authentication. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365. This will cause a service impacting outage that will require resolution from you, not Microsoft’s online services team.
For this reason, unless you really need to leverage ADFS please review the DirSync password synchronisation feature in the recent DirSync builds.
Apologies if I sound pessimistic, but I don’t want to obviate the requirement for ADFS redundancy!
On the topic of ADFS redundancy one option is to also host a portion of your ADFS infrastructure in Azure. This is a perfect solution if you do not have sufficient capacity in your current datacentre, or your datacentres are located in close proximity of each other and a major incident would take both of them down.
There is a whitepaper published for this exact scenario. Please check this link. The documentation covers three main scenarios to meet the situations discussed above:
This is an example of hosting ADFS in Azure for DR purposes:
AD FS is supported for deployment on Azure Virtual Machines, but there are AD FS best practices that require technologies beyond what AD FS offers itself, such as load balancing/high availability. In addition to this please also consider the pricing for running this IAAS. Read through the deployment caveats in the ADFS Azure documentation above and also the additional discussion points here.
Back to the business at hand – updating Office 365 so that it now uses your on-premises ADFS server!
We will run the below on a domain joined server on the corporate network. This has the Windows Azure Active Directory PowerShell Module and the Microsoft Online Sign-In Assistance (SIA) installed. Let’s launch the WAAD PowerShell module. For reference the remote ADFS server is Tail-CA-STS.TailspinToys.ca.
For other WAAD management tasks, take a peek at Manage Azure AD using Windows PowerShell page.
Using Connect-MsolService let’s connect to our WAAD instance. Provide a set of global admin credentials:
We can see the current status of the domains within this tenant. the Get-MsolDomain cmdlet will show the domains, and we are interested in the first domain – “Tailspintoys.ca”.
Before we can execute the Convert-MsolDomainToFederated cmdlet, we need to also a hook into the local ADFS server (not the ADFS proxy) so that we can configure it.
There is a word of warning here, as chances are that you will see this lovely screen that features copious red text.
Set-MsolADFSContext : The connection to <ServerName> Active Directory Federation Services 2.0 server failed due to invalid credentials.
Active Directory Federation Services 2.0 server failed due to invalid credentials" style='background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;' alt='Set-MsolADFSContext : The connection to Active Directory Federation Services 2.0 server failed due to invalid credentials' src='/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-09-metablogapi/image_5F00_thumb_5F00_62F9607B.png' border='0' />
This is caused by Remote PowerShell not being enabled on the remote ADFS server. This is an issue that is present on ADFS 2012 and ADFS 2012 R2 servers amongst others. Thankfully it is quite easy to fix, by running the below on the ADFS server:
Enable-PSRemoting
Once Remote PowerShell has been enabled, we can then connect to the ADFS server using the Set-MsolADFSContext cmdlet. Like the other MSOL cmdlets, this one is as unforgiving. If you forget to explicitly use the required parameters the MSOL cmdlets typically do not prompt like the Exchange cmdlets do. Because of this I have a habit of always specifying every option and not relying on PowerShell to prompt for required options that were missed.
Once we have connected to the ADFS server, we use the Convert-MsolDomainToFederated cmdlet to convert the Office 365 domain from Managed to Federated.
Set-MsolADFSContext -Computer Tail-CA-STS.tailspintoys.ca Convert-MsolDomainToFederated -DomainName tailspintoys.ca
Set-MsolADFSContext -Computer Tail-CA-STS.tailspintoys.ca
Convert-MsolDomainToFederated -DomainName tailspintoys.ca
Update 20-8-2014: Andy pointed out in the comment that there is an area of concern to be noted here for customers that have multiple top level domains. Back with ADFS 2.0 customers with multiple top level UPNs had to deploy separate ADFS instances for each domain suffix. A rollup was added to assist with this and the SupportMultipleDomain switch. Please see here for more details if you have multiple sign on domains.
Once converted, we check to see if the change applied:
Yes it did! The domain is now Federated.
The full properties of the domain now look like so:
Please be aware that it can take up to two hours for domain authentication changes to apply. Go drink a vat of coffee or play some flappy birds!
To test that we are being authenticated to Office 365 OWA via ADFS, let’s see what happens now that the domain has been converted to federated.
Open IE, and navigate to https://outlook.com/tailspintoys.ca this is the neat shortcut that we can use to access OWA. Change the domain name to match your own.
When we go to the browser is redirected to our on-premises ADFS server, at this URL: https://adfs.tailspintoys.ca/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%3Dwsignin1.0%26rpsnv%3D3%26ct%3D1398824668%26rver%3D6.1.6206.0%26wp%3DMBI_KEY%26wreply%3Dhttps:%252F%252Fwww.outlook.com%252Fowa%252F%26id%3D260563%26whr%3Dtailspintoys.ca%26CBCXT%3Dout
We then sign in to the on-premises ADFS server:
ADFS authenticates us, assuming that the password is not fat-fingered, and this authorises Office 365 to let us access OWA:
The astute reader will notice that IE in-private mode has been used. This keeps my testing separate from the other IE Instances running on my laptop.
One thing to note, when testing this connectivity please do so on a regular client machine that has the proper access to the Internet and where the browser is not totally locked down. In the below example on a Server 2008 R2 SP1 server, when browsing to outlook.com/tailspintoys.ca the user experience is very different from the screenshots above.
The user will get logged on, but it can be disconcerting if you are expecting the sexy looking ADFS screen and you get an auth prompt instead…..
Chances are you will have use the TestExchangeConnectivity.com site to test and troubleshoot on-premises issues. The tool has been expanded as now we can also use it to test and diagnose Office 365 issues.
KB 2650717 How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer discusses using the tool to validate SSO.
BONUS TIP – if you get tired of typing that long URL to get to the site, try http://exrca.com
Using the IE developer tools, that are accessible by pressing F12 we can see the traffic flow that the browser has taken to reach the sites involved. You will want to click to enlarge the below.
Note that we went to the following URLs. Can you work out why there are three outlook.com ones at the top?
As discussed in KB 2647048, there are situations that will require the Office 365 domain federation to be repaired.
For example, you may find yourself running this:
I love this KB as it links to so many other articles that are relevant and introduce many of the issues that can arise with an ADFS deployment.
KB 2647048 -- How to update or to repair the configuration of the Office 365 federated domain
The PFE Platform blog have some great ADFS content, amongst other things. Just don't propose to Charity via the comment system please!
How to Build Your ADFS Lab on Server 2012 Part 1 Introduction to Active Directory Federation Services (AD FS) AlternateLoginID Feature Upgrading ADFS to Server 2012 R2 FAQ on ADFS - Part 1
How to Build Your ADFS Lab on Server 2012 Part 1
Introduction to Active Directory Federation Services (AD FS) AlternateLoginID Feature
Upgrading ADFS to Server 2012 R2
FAQ on ADFS - Part 1
Finally the TechNet Wiki has the ADFS content section.
ADFS Content MAP
Time files and we are now at the end of the Exchange 2010 SP2 support lifecycle. And as previously discussed Windows XP and Office 2003 left extended support yesterday. It seems like only yesterday when Exchange 2010 SP2 was released in November 2011,
The support lifecycle marker is the Exchange 2010 Service Pack. Exchange 2010 Rollup Updates (RU), are not milestones in the support lifecycle. So regardless if you have Exchange 2010 SP2 RU 8 installed, that build of Exchange 2010 will no longer receive security updates and code updates. To receive the support you are entitled to, please ensure that all your Exchange 2010 servers have SP3 installed. Ideally they will have a recent RU installed as well. At the time of writing this should be Exchange 2010 SP3 RU4 or RU5 since there is a security issue resolved in Exchange 2010 SP3 RU4.
One note on EdgeSync and reported Exchange version information. If you do have Exchange 2010 Edge servers installed, and EdgeSync is configured, then after installing Exchange 2010 SP3 onto the Edge servers you will not see the version information change when you run Get-ExchangeServer on the internal Exchange servers. This is because the version information is only written when EdgeSync is configured. To increment the version information in the internal AD, please re-subscribe the Edge servers.
Please review the lifecycle chart here for full details
So at this point please ensure that you are on SP3.
For details on SP3 – you can take a peek at these articles.
I also blogged about the expiration of Exchange 2010 RTM and Exchange 2010 SP1 support previously.
Full details about the Microsoft lifecycle policy can be viewed here
http://support.microsoft.com/lifecycle/
I would also encourage you to sign up to the quarterly lifecycle update newsletter to ensure that you have the knowledge to keep all of your products in a supported state, and continue to receive the support that you are entitled to!
In the smelly MEC 2014 man purse, there was a shiny Exchange 2103 SP1 architecture poster. The MEC attendees were the first ones to get the update to the older Exchange 2013 RTM poster, which is now published for everyone!
I created a deep zoom of the poster so that it is easy to scroll around on phones and tablet devices. Click the toggle button at the bottom right hand corner to enter full screen mode.
Use these controls to zoom in on touch devices rather than the native pinch zoom, else the text will not be readable as you will not be zooming just stretching the currently rendered image. If you have a mouse and scroll wheel that can also be used to zoom in and out. Pressing ‘Esc’ will exit the zoom, and return to the blog.
You can also directly download the Exchange 2013 SP1 poster from the Microsoft Download Center.
The Exchange architecture posters have been a very popular wallpaper choice for messaging engineers to adorn their cubicle walls with! Over the years there have been multiple iterations of the poster, and for reference the older ones are here:
Now that the Windows XP, Office 2003 and Exchange 2010 SP2 support expiration date has come and gone, the world is still turning and we are not in a state of Armageddon! *
That said, focus now needs to be on Office 2010 as it is 6 months until support ends for Office 2010 SP1 on the 14th of October 2014. At that point all Office 2010 installations need to be on SP2. This is detailed in the notes column below, since support ends 12 months after the next service pack releases or at the end of the product’s support lifecycle, whichever comes first.
The Microsoft support lifecycle site has the above details.
Office 2010 RTM support previously ended on the 10th of July 2012. If we look at the Office 2010 cumulative update for December 2013, specifically the Description of the Outlook 2010 hotfix package (Outlook-x-none.msp) we can see the platforms that the update supports. Please note that SP1 and SP2 are valid prerequisites for this update.
Outlook 2010 RTM is not listed as it was not a supported version at the time the update was released.
In a single word - yes!
If you want to continue to receive security updates for your Office 2010 clients then you need to be at the correct level to get updates. Once Office 2010 SP1 has transitioned out of support then updates will not be available to that build of the client. There are lots of other great reasons to keep Outlook updated! There has been a lot of work to improve the client with recent updates for both on premises and O365 scenarios. You will only benefit from that work if you install the updates!
While we are discussing Outlook 2010 specifically here, the same holds true for all products covered with the Microsoft support lifecycle. Please sign up for the Microsoft Support Lifecycle Quarterly Update Newsletter to stay abreast of supportability dates and ensure you get the support you deserve!
* – Armageddon was the first DVD that I bought back in 1999, and can remember having to shell out for not just the DVD player but also the hardware decoder card since a Pentium 200 did not really have the juice to render the video!
MEC 2014 has now come and gone, and it's been both an exciting and tiring week! There was always so much going on that it was a constant battle to decide what to go and see next. But that is a great dilemma to face. I will be spending a lot of time in the coming weeks looking at the recordings on the IamMEC.com site. Jon Orton just commented that the content will be release in the coming weeks for everyone.
MEC 2014 was held in the Austin Convention Center. It was great to get away from –5 oC in Toronto and go to + 20 oC in Austin. Maybe the snow will be gone by when I get back. Maybe….
The Keynote on Monday demonstrated the increased pace of innovation that the product group are looking to deliver. 2014 and beyond promise to bring lots of value to the service, which will then make its way to the on-premises builds.
In addition to this, there were two main thoughts that I had from watching the keynote. Every time someone came on stage they were “excited” to talk to us, “excited” to demo something or “excited” to talk about upcoming features. Maybe they need to use the shift + F7 feature in Word to find other synonyms….
The second was the video content produced for MEC. The Exchange Innovation Lab video featuring Greg “CAS” Taylor, and David “TAP” Espinoza was the funniest bit of the keynote. It may be a British thing, but I loved the deadpan delivery.
The exhibition floor was packed with a multitude of vendors who were eager to showcase their solutions to customers. Customers were also able to pick up some really neat giveaways. To the right you can see the closest that I got to a booth babe!
This is my colleague Wes modelling one of the giveaways. You will notice the RaaS booth in the background since Wes is one of the global leads for Exchange Risk Assessment As A Service (RaaS). For more information on RaaS please take a look at this page.
One other area that was cool to walk around was the Exchange exhibition. Not only did the team produce a video to discuss the history of Exchange since it was born back in 1996. You can see the Exchange through the ages video below:
There were previous Exchange books, and for a real trip down memory lane the Exchange installation media. That’s right kids, when stuff came on CDs and floppys…..
This reminds me that I need to look at that blog post for Exchange 2013 as discussed with the MVPs!
Now let’s mention the really important aspect of MEC!
While the above were all really great technical things to look at the biggest aspect of MEC is connecting with the people who make up the Exchange community! While this means that countless free bottles of beer have to be consumed whilst talking to people, it was a hard task and I grudgingly stepped up to it!
I was fortunate to connect with many of the Exchange product group. These folks are ridiculously busy. So any time they take to meet with attendees is great. I also got to see many of the Exchange MVPs who I see online in the forums which was fantastic, even though one has a crippling nurse fetish. Though after the keynote, that may have been corrected… Many Microsoft PFEs and consultants were also attending MEC and it was outstanding to chat with all of them.
The UC Architects party was great! Since they also closed out MEC with a live recording of the latest podcast, I’ll look forward to seeing the more edited version!
Austin is certainly a great place, and I have some very happy memories from both it and MEC. I must comment on the public transportation system however. It does seem to be somewhat antiquated, and brings back memories of Fred Flintstone’s troglodyte transport…
I can only describe this as a “beer bus”. The passengers are sitting perpendicular to the direction of travel, and have to pedal to make the vehicle move. if you look closely at the rear of the “bus” you will see the advanced propulsion fuel container. A keg……
The other Exchange 2013 tips of the day posts can be found here:
Exchange 2013 Tip Of The Day – 1 To 25
Exchange 2013 Tip Of The Day – 26 To 50
Exchange 2013 Tip Of The Day – 51 To 75
To obtain the listing below, the following command was used:
$Int = 76;While ($Int -le 100){Get-Tip $Int; Write-Host; $Int+=1}
To get a list of all parameters available for a cmdlet, type:
(Get-Command <Cmdlet Name>).Parameters | ft key
For example, to get all parameters for the New-TransportRule cmdlet, type:
(Get-Command New-TransportRule).Parameters | ft key
Did you know that you need to use the AssembleMessage script when exporting messages from a queue? For example, if you want to export the message with message ID 1234 from the contoso.com queue on server Mailbox1, you need to run the following command:
Export-Message -Identity Mailbox1\contoso.com\1234 | AssembleMessage -Path "C:\ExportedMessages\Message1234.eml"
Wondering how many log files are generated per server every minute? Quickly find out by typing:
Get-MailboxDatabase -Server <Mailbox Server Name> | ?{ %{$_.DatabaseCopies | ?{$_.ReplayLagTime -ne [TimeSpan]::Zero -And $_.HostServerName -eq $env:ComputerName} } } | %{ $count = 0; $MinT = [DateTime]::MaxValue; $MaxT = [DateTime]::MinValue; Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | %{ $count = $count + 1; if($_.LastWriteTime -gt $MaxT){ $MaxT = $_.LastWriteTime}; if($_.LastWriteTime -lt $MinT){ $MinT= $_.LastWriteTime} }; ($count / ($MaxT.Subtract($MinT)).TotalMinutes) } | Measure-Object -Min -Max –Ave
Wondering how many log files are generated per database every minute? Quickly find out by typing:
Get-MailboxDatabase -Server <Mailbox Server Name> | %{ Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | Group- Object -Property {$_.LastWriteTime.Day,$_.LastWriteTime.Hour,$_.LastWriteTime.minute} | ?{$_.Count -gt 1} | Measure-Object -Property Count -Min -Max -Ave }
Get quick health and status information for your mailbox database copies by typing:
Get-DatabaseAvailabilityGroup DAG1 | %{ $_.Servers | %{ Get-MailboxDatabaseCopyStatus -Server $_ } }
Did you know that you can share your calendar and contacts folders with other federated Exchange 2013 organizations by first creating a federation trust with the Microsoft Federation Gateway with a valid digital certificate? Just use the New-FederationTrust cmdlet and the certificate thumbprint to get started. Type:
New-FederationTrust -Name "Microsoft Federation Gateway" -Thumbprint <cetificate thumbprint>
Finish by setting up an organization relationship with another federated Exchange organization to share limited calendar free/busy information. Type:
Get-FederationInformation -DomainName <other domain name> | New-OrganizationRelationship -Name "<name of relationship>" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel –LimitedDetails
Need to quickly get a list of your Exchange certificates and their thumbprints? Just use the Get-ExchangeCertificate cmdlet. Type:
Get-ExchangeCertificate | fl
Want to filter the list and include just the self-signed certificates? No problem! Type:
Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $true} | fl
Not sure your federation trust with the Microsoft Federation Gateway is working correctly? To test if a security token can be retrieved, just type:
Test-FederationTrust
Need a report on the status of each Exchange certificate installed on all Mailbox and Client Access servers? Try this:
Test-FederationTrustCertificate
Need to verify that an organization relationship is correctly configured and functioning as expected for a user in an external Exchange organization? Just type:
Test-OrganizationRelationship -UserIdentity <user email address> -Identity <external domain> –Confirm
Use this command to get all active mailbox move requests on a mailbox server:
$(Get-MailboxDatabaseCopyStatus -Server MBX | ?{ $_.status -eq "Mounted" }) | %{ Get-MoveRequest -TargetDatabase $_.DatabaseName } | ?{ $_.Status -ne "Completed" -and $_.Status -ne "CompletedWithWarning" }
Use this command to find all non-completed move requests and group them by target database:
Get-MoveRequest | ?{ $_.Status -ne "Completed" -and $_.Status -ne "CompletedWithWarning" } | group targetdatabase | sort Count –Descending
Use this command to find failure messages for all failed moves:
Get-MoveRequest -MoveStatus Failed | Get-MoveRequestStatistics | ft Alias, percentcomplete, message –auto
Use these commands to get a snapshot of the move throughput for completed moves.
$stats = Get-MoveRequest -MoveStatus Completed | Get-MoveRequestStatistics $stats | sort totalmailboxsize | ft Alias,{$_.totalmailboxsize.ToMB()},totalinprogressduration –auto
Use this command to view how many move requests are in the queue to be moved:
(Get-MoveRequest -MoveStatus Queued).count
Use this command to find all mailbox move requests for mailboxes on the active mailbox database copies that are hosted on the specified mailbox server. This command returns the display name, status of the move request, and the database to which the mailbox is being moved.
$(Get-MailboxDatabaseCopyStatus -Server MBX01 | ?{ $_.status -eq "Mounted" }) | %{ Get-MoveRequest -TargetDatabase $_.DatabaseName }
Need to see a list of the URLs for a user's calendar that has been published for Internet access? Just type:
Get-MailboxCalendarFolder -Identity <user alias>:\calendar | fl
Did you know that you can download and integrate the latest version of Help for all cmdlets on the local Exchange server? Type:
Update-ExchangeHelp
You need to run this command on each Exchange server to get updated Help.
Exchange 2013 Tip of The Day – 76 To 93
$Int = 26;While ($Int -le 50){Get-Tip $Int; Write-Host; $Int+=1}
Forget a property name? Not a problem because you can use wildcard characters to retrieve all properties that match the part of the name that you specify:
Get-Mailbox | Format-Table Name,*SMTP*
Want to work with data contained in a CSV file? Use Import-CSV to assign the data to an object. For example, type:
$MyCSV = Import-CSV TestFile.CSV
You can then manipulate the data easily in the Exchange Management Shell. For example, if there is a column called Mailboxes in the CSV data, you can use the following commands to sort or group the data by the Mailboxes column:
To sort: $MyCSV | Sort Mailboxes To group: $MyCSV | Group Mailboxes
This command spins through all your mailbox servers and reconnects all the uniquely identified but disconnected mailboxes in any one of the mailbox stores:
$Servers = Get-ExchangeServer $Servers | ` Where { $_.IsMailboxServer -Eq '$True' } ` | ForEach { Get-MailboxStatistics -Server $_.Name ` Where { $_.DisconnectDate -NotLike '' } ` | ForEach { Connect-Mailbox -Identity ` $_.DisplayName -Database $_.DatabaseName} }
Tab completion reduces the number of keystrokes required to complete a cmdlet. Just press the TAB key to complete the cmdlet you're typing. Tab completion kicks in whenever there is a hyphen (-) in the input. For example:
Get-Send<tab>
should complete to Get-SendConnector. You can even use wildcards, such as:
Get-U*P*<tab>
Pressing the TAB key when you enter this command cycles through all cmdlets that match the expression, such as the Unified Messaging Mailbox policy cmdlets.
Want to create a group of test users in your lab? Use this command:
1..100 | ForEach { Net User "User$_" MyPassword=01 /ADD /Domain; Enable-Mailbox "User$_" }
Like the Exchange Management Shell Tip of the Day? Try this:
Get-Tip
Want to set the properties on all or some Outlook Web Access virtual directories? Pipe the output of Get-OwaVirtualDirectory to the Set-OwaVirtualDirectory cmdlet. For example, the following command sets the Gzip level for all Outlook Web Access virtual directories:
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -GzipLevel High
Want to move your database path to another location? Type:
Move-DatabasePath -EdbFilePath DestFileName
To change the file path setting without moving data, use this command together with the ConfigurationOnly parameter. This command is especially useful for disaster recovery. Caution: Misuse of this cmdlet will cause data loss.
Need an easy way to add a new primary SMTP address to a group of mailboxes? The following command creates a new email address policy that assigns the @contoso.com domain to the primary SMTP address of all mailboxes with Contoso in the company field:
New-EmailAddressPolicy -Name Contoso -RecipientFilter {Company -Eq "Contoso"} -EnabledPrimarySMTPAddressTemplate "@contoso.com"
Want to retrieve a group of objects that have similar identities? You can use wildcard characters with the Identity parameter to match multiple objects. Type:
Get-Mailbox *John* Get-ReceiveConnector *toso.com Get-JournalRule *discovery*
Want to configure a group of objects that have similar identities? You can use wildcard characters with the Identity parameter when you use a Get cmdlet and pipe the output to a Set cmdlet. Type:
$Mailboxes = Get-Mailbox *John* $Mailboxes | Set-Mailbox -ProhibitSendQuota 100MB -UseDatabaseQuotaDefaults $False
This command matches all mailboxes with the name John in the mailbox's identity and sets the ProhibitSendQuota parameter to 100MB. It also sets the UseDatabaseQuotaDefaults parameter to $False so that the server uses the new quota you specified instead of the database default quota limits.
Forgot what the available parameters are on a cmdlet? Just use tab completion! Type:
Set-Mailbox -<tab>
When you type a hyphen (-) and then press the TAB key, you cycle through all the available parameters on the cmdlet. Want to narrow your search? Type part of the parameter's name and then press the TAB key. Type:
Set-Mailbox -Prohibit<tab>
Want to add an alias to multiple distribution groups that have a similar name? Type:
$Groups = Get-DistributionGroup *Exchange* $Groups | Add-DistributionGroupMember -Member kim
This command adds the alias kim to all distribution groups that contain the word Exchange.
Want to record exactly what happens when you're using the Exchange Management Shell? Use the Start-Transcript cmdlet. Anything that you do after you run this cmdlet will be recorded to a text file that you specify. To stop recording your session, use the Stop-Transcript cmdlet.
Notice that the Start-Transcript cmdlet overwrites the destination text file by default. If you want to append your session to an existing file, use the Append parameter:
Start-Transcript c:\MySession.txt –Append
Do you have a user who has network access but maintains an external mail account outside your Exchange organization? With Exchange 2013, you can now create mail-enabled users that are regular Active Directory accounts, but also behave like mail-enabled contacts. By using the Enable-MailUser cmdlet, you can add email contact attributes to any existing Active Directory user who doesn't already have a mailbox on an Exchange server. Users in your Exchange organization will then be able to send email messages to that user's external mail account. Type:
Enable-MailUser -Identity <Active Directory Alias> -ExternalEmailAddress <Destination SMTP Address>
Want to change the default prohibit send quota for a mailbox database? Type:
Set-MailboxDatabase <Mailbox Database Name> -ProhibitSendQuota <New Quota Size>
You can specify a bytes qualifier when you use the ProhibitSendQuota parameter. For example, if you want to set the prohibit send quota to 200 megabytes, type:
Set-MailboxDatabase <Mailbox Database Name> ProhibitSendQuota 200MB
You can also configure the IssueWarningQuota parameter and the ProhibitSendReceiveQuota parameter in the same way.
Want to know what version of Exchange Server each of your servers is running? Type:
Get-ExchangeServer | Format-Table Name, *Version*
Want to determine whether a server is running Exchange Server 2013 Standard, Enterprise or Hybrid Edition? Type:
Get-ExchangeServer <Server Name> | Format-Table Name, Edition
If you want to view which edition all your Exchange servers are running, omit the <Server Name> parameter.
Want to create a new resource mailbox that can be used to book a meeting room? Type:
New-Mailbox -Name <Conference Room Name> -UserPrincipalName <SMTP Address> -OrganizationalUnit <Organizational Unit> -Room
This command creates a disabled Active Directory user who has a mailbox that accepts meeting requests from users.
Want to control the properties of email messages sent to a specific domain? Use the RemoteDomain cmdlets. Create a new remote domain by using the New-RemoteDomain cmdlet. Type:
New-RemoteDomain -Name "Contoso.com Configuration" -DomainName contoso.com
Then modify the properties that you want for this remote domain by using the Set-RemoteDomain cmdlet:
Set-RemoteDomain "Contoso.com Configuration" -AutoReplyEnabled $True -AutoForwardEnabled $True
Booleans are parameters that can be evaluated as either $True or $False. Booleans are typically used as a flag on an object that modifies the behavior of that object. In the Exchange Management Shell, you must supply a Boolean parameter with either a $True, $False, 1, or 0. No other values are accepted, including True or False. For example, both of the following commands set the enabled state of the ExampleAssignment management role assignment to $True:
Set-ManagementRoleAssignment ExampleAssignment -Enabled $True Set-ManagementRoleAssignment ExampleAssignment -Enabled 1
Want an easy way to apply deleted item retention limits across multiple databases and servers? Try the following command to configure deleted item retention across all databases on a specified server:
Get-MailboxDatabase -Server <Server Name> | Set-MailboxDatabase -DeletedItemRetention 45.00:00:00
You can also apply the same deleted item retention limits or mailbox retention limits across all servers in your organization:
Get-MailboxDatabase | Set-MailboxDatabase -DeletedItemRetention 45.00:00:00 -MailboxRetention 120.00:00:00
$Int = 51;While ($Int -le 75){Get-Tip $Int; Write-Host; $Int+=1}
Want to know what permissions an Active Directory user account has on a specific mailbox? Use:
Get-Mailbox <Mailbox to Check> | Get-MailboxPermission -User <Active Directory User>
Want to know which mailboxes a specific Active Directory user has permissions to? Type:
$Mailboxes = Get-Mailbox -ResultSize Unlimited $Mailboxes | Get-MailboxPermission -User <Active Directory User> | Format-Table Identity, AccessRights, Deny
Caution: This command enumerates all the mailboxes in your organization. If you have lots of mailboxes, you may want to target specific mailboxes.
Want to get a list of the backup status of all mailbox databases in your organization? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, *Backup*
How about just the mailbox databases on a specific server? Type:
$Databases = Get-MailboxDatabase -Server <Server Name> -Status $Databases | Format-Table Name, *Backup*
To retrieve the current status of an Exchange server or database, use the Status parameter. For example:
Get-ExchangeServer -Status | Format-List Get-MailboxDatabase -Server <Server Name> -Status | Format-List
Want to view the mounted status of all mailbox databases? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, Mounted
What's the difference between server-side filtering and client-side filtering? Server-side filtering is used with the recipient and queue cmdlets, which support the Filter parameter, because these cmdlets can return large result sets. The server filters the results by using the criteria you specify and then sends you the filtered results. Client-side filtering can be used with any cmdlet. The entire result set is sent to the client computer, which then filters the data and provides a filtered result set. Client-side filtering uses the Where-Object cmdlet, which can be shortened to Where.
With Exchange 2013 Unified Messaging, you can redirect unauthenticated callers to certain telephone extensions to an operator instead of to the extension that was dialed. To list users for whom Unified Messaging transfers unauthenticated callers to the operator, instead of to the user, type:
$Mailboxes = Get-UMMailbox $Mailboxes | Where-Object { $_.AllowUMCallsFromNonUsers -eq ` [Microsoft.Exchange.Data.Directory.Recipient.AllowUMCallsFromNonUsersFlags] "None" }
You can use client-side filtering to return only the data that you want to see or work with. The following example retrieves all Active Directory user accounts in the Engineering department and puts the results in a table with two columns, Name and Department. By using the ResultSize parameter, the Get-User cmdlet limits the result set to 2,000 users.
$Users = Get-User -ResultSize 2000 $Users | Where { $_.Department -Eq "Engineering" } | Format-Table Name, Department
The special variable $_ represents the objects being passed from one cmdlet to another cmdlet in the pipeline. The $_ variable is automatically initiated by the Shell and is bound to the current pipeline object. You can access the properties of the object assigned to the $_ variable as you would any other object. The following example shows how you can view the Name property of each mailbox object that is passed through the pipeline:
Get-Mailbox | ForEach { $_.Name }
You can import CSV files and treat them as objects by using the Import-Csv cmdlet. Each row in a CSV file becomes an element in an array, and each column becomes a property. You can assign the CSV file to a variable, or you can pipe its contents directly to another cmdlet. In the following example, there are three columns in the CSV file, Name, Alias, and EmailAddress, with several rows that the ForEach cmdlet will cycle through. The data in each row is used to create a new mail contact.
$CSV = Import-Csv $CSV | ForEach { New-MailContact -Name $_.Name -Alias $_.Alias -ExternalEmailAddress $_.EmailAddress -OrganizationalUnit Users }
Want to customize your Exchange Management Shell profile? Run the following command to determine the location of your Microsoft.PowerShell_profile.ps1 file:
$Profile
You may have to create the PSConfiguration folder and Microsoft.PowerShell_profile.ps1 file. After you've done that, you can add your favorite functions and aliases, which will be loaded every time that the Exchange Management Shell is opened.
Want to see everything that occurs when you run a command? Include the Verbose parameter with the command. This parameter instructs the Exchange Management Shell to display detailed information about each action that the server takes to complete the command. This information can be useful in troubleshooting.
Any cmdlet that accepts a size value lets you specify whether the integer value is in kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB). For example:
Set-Mailbox "Kim Akers" -ProhibitSendQuota 200MB -UseDatabaseQuotaDefaults $False
Want to create a new role group for your administrators? Use the New-RoleGroup cmdlet. The New-RoleGroup cmdlet lets you add management roles and specify the members to add to the new role group. Those members will be granted the permissions provided by the management roles. Type:
New-RoleGroup <role group name> -Roles <role 1>, <role 2>, <role 3...> -Members <member 1>, <member 2>, <member3...>
Remember, role groups are used to grant permissions to groups of administrators or specialist end users who require special permissions. If you want to manage permissions for end users, use management role assignment policies.
Do you want to create a new management role assignment policy that's based on an existing policy, but you don't want to include all the management roles? Use the Get-ManagementRoleAssignment cmdlet and pipe the results to the Where cmdlet. The Where cmdlet excludes any role assignments that contain the roles you specify. The remaining role assignments are piped to the New-ManagementRoleAssignment cmdlet. Type:
New-RoleAssignmentPolicy <new role assignment policy name> Get-ManagementRoleAssignment -RoleAssignee <old role assignment policy name> | Where { ($_.Role -NE "<role name 1>") -And ($_.Role -NE "<role name 2>") } | New-ManagementRoleAssignment -Policy <new role assignment policy name>
The Where statement is case-sensitive.
Then you can apply the new policy to a mailbox using the Set-Mailbox cmdlet:
Set-Mailbox <mailbox name> -RoleAssignmentPolicy <new role assignment policy name>
Do you want to remove a management role from a role group, role assignment policy, USG, or user but don't know the name of the management role assignment? Just find the role assignment with the Get-ManagementRoleAssignment cmdlet and pipe the results to the Remove-ManagementRoleAssignment cmdlet. Type:
Get-ManagementRoleAssignment -RoleAssignee <role assignee name> -Role <role name> | Remove-ManagementRoleAssignment
Exchange 2013 uses management role groups and management role assignment policies to manage permissions. Role groups enable you to grant permissions to groups of administrators and specialist end users. These are people who manage your organization or perform special tasks, like mailbox searches for compliance reasons. Role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voice mail, and more.
Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are people who manage your organization or perform special tasks, like mailbox searches for compliance reasons. If you want to manage permissions for end users, use management role assignment policies.
Management role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voice mail, and more. If you want to manage permissions for administrators and specialist users, use management role groups.
Management role assignments determine what management roles are associated with management role groups and management role assignment policies. Role assignments also control what objects users who are members of role groups or assignment policies can modify using the cmdlets available on the associated management roles.
The Get-RoleGroupMember cmdlet lists all the members on a management role group. But if you want to get more details about the members of the role group, use the Get-ManagementRoleAssignment cmdlet. The Get-ManagementRoleAssignment cmdlet enables you to view the members of universal security groups that are members of role groups, view the management scope that applies, and more.
Do you need to store a value in a variable in a script and make sure it never changes? If so, make the variable a constant using the New-Variable cmdlet. Constants can be set once and don't allow their values to be changed. For example, the following creates the $IPAddress constant with the value 10.0.0.2.
New-Variable -Option Constant -Name IPAddress -Value "10.0.0.2"