Disable Office 365 Groups Creation: Redux

Several months ago, I wrote a blog on Disabling Office 365 Groups.  It seems as though we couldn’t leave well enough alone.  Such is a price of progress. I got a new laptop a few weeks ago, and then found myself in the position of helping out a few colleagues this week.  One of the tasks…

20

Block direct delivery to @onmicrosoft.com addresses

We’re all familiar with how Office 365 tenants work–when you spin up a new Office 365 tenant, you get a managed domain (tenant.onmicrosoft.com).  Then, maybe you configure a hybrid environment, and now your tenant has your domain, as well as your original tenant.onmicrosoft.com domain, and a new tenant.mail.onmicrosoft.com.  The two managed domains–tenant.onmicrosoft.com and tenant.mail.onmicrosoft.com both…

0

Disable Skype SKUs across all users

This week, I was presented with a question from a partner who was in the middle of the Skype for Business portion of a larger merger and acquisition migration project. The customer had enabled the Skype for Business license for all users in the tenant (including users who hadn’t migrated for other domains and forests),…

0

Detecting Outlook / Exchange data exfiltration

While I was working on a script to configure Office 365 Secure Score settings, I came up with a few scripts that I thought would be helpful in monitoring your messaging environments.  Many organizations have policies against data exfiltration, but detecting and enforcing are totally different animals.  One method that an attacker can set up…

2

Display or Export All User Mailbox Holds

Last week, I was asked by a few people for information on displaying holds applied to mailboxes. Holds come in several varieties: In-Place Holds created via the Exchange Admin Center or eDiscovery case Retention Policies (either as Retention or Label policies) Litigation Hold set as a mailbox property Legacy Exchange MRM policies When viewed programmatically…

1

Backup and Restore Office 365 Groups

While working with a partner this weekend on a tenant to tenant migration, we had the need to migrate Office 365 groups.  There’s not really a lot of information around on recreating groups and memberships, so I decided to put together a tool to help the effort. The first thing to understand about Office 365…

2

Update to Wipe Exchange Online Mailbox script

Earlier today, I was asked to make an update to my script to wipe Exchange Online mailboxes to include Archive Mailboxes.  Fortunately, it ended up being much easier than I anticipated: When I enumerated the mailbox originally, I used: $Root = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root) In order to access the Archive folder, I just had to change…

0

Recovering from Crypto- or Ransomware attacks with the OneDrive for Business Admin Tool

Recently, I had a requirement come up to enable the bulk restore of content from a OneDrive for Business site in the event of a cryptoware or ransomware attack.  OneDrive has versioning turned on, so I figured this would be an “easy” add.  As with most of my initial thoughts on how long something should…

0

Update to Advanced AAD Connect Permissions tool

Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates: 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has…

1

Office 365 Secure Score Script

In light of the discovery that a recent comprise involved administrator credentials that were not protected with multi-factor authentication, I thought revisiting http://securescore.office.com might be a good idea. For the uninitiated, Secure Score is a tool that we provide to examine some configuration items and give guidance on others in respect to creating a more…

1

Use AAD Connect to disable accounts with expired on-premises passwords

This week, I received an email from a colleague asking if there was a way to work around the default behavior described in https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization: Password expiration policy If a user is in the scope of password synchronization, the cloud account password is set to Never Expire. You can continue to sign in to your cloud…

0