How to connect to Exchange Online PowerShell via ISE with MFA the correct way

I had the issue that my ISE client timed out after 10 minutes and I could not re-logon to Exchange Online PowerShell and I had to start a new session each time. I asked on Twitter and got some great help from these guys, a big shout out to

It turned out I was doing it wrong. Here is how to do it right

  • Install the Exchange online PowerShell module for MFA
    • Go to Exchange Admin in
    • go to Hybrid and click download for the Exchange module
    • This will break in Chrome, so use Edge og IE
    • Note that you should run the installed module from time to time in order keep it up to date
  • Open PowerShell ISE or Visual Studio Code and use this code to connect to Exchange Online
#Import the module, requires that you are administrator and are able to run the script
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1)
#connect specifying username, if you already have authenticated to another moduel, you actually do not have to authenticate
Connect-EXOPSSession -UserPrincipalName
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff

How to use Microsoft Flow to move email to OneNote

The send to OneNote plugin in Outlook for PC and Mac is awesome. The problem is when you are not in front of a computer and need to tag an email for processing later when you are on other platforms. My approach to solve this is to use flagging of email and send that to my collection section in OneNote using Microsoft Flow. In that way, I know when I have processed it and I know I can find it again in OneNote for when I process my OneNote and create actionable tasks.

Here is how to get started with using Microsoft Flow for moving flagged emails to your Collection section in Microsoft OneNote that is stored in OneDrive for Business in Office 365.

  1. Log on to your Office 365 portal
  2. Click on the Flow icon to get started
    • requires that Flow is enabled for your tenant and your user
  3. Search for Outlook, because that is our trigger
  4. Choose the trigger for when flagging an email in your inbox
  5. Click on Next Step and search for OneNote (Business)
  6. Choose create page in section
  7. Choose the notebook that is stored in OneDrive for Business
  8. Choose the section you want to store it in, which should be your collection section
  9. In order to get a good input from the email you need to paste in some HTML code in order to get subject as title and more info from the email in to OneNote
  10. From here, save the flow
    • it takes 10-15 minutes for first run
    • The free version runs every 15 minutes, the Office 365 flow version runs every 5 minutes
    • For Office 365 the number of times a flow can run is tenant wide and is aggregated by the number of user licenses in the tenant and is 2000 times per user per month
    • One user can consume a lot more runs than 2000, but the average is 2000 per user per month
    • Read more her:
  11. The flow with flagging of emails are only run when you actually do the flagging, so you will only consume a run when you actually do the flagging

Check out my OneNote LifeHacks video from Ignite on how to set this up.


Looking for coaching on being more productive with OneNote and get more stuff done, connect with me at CloudWay

The Fourth Edition of Office 365 for IT Pros is now available

I am proud to be part of the team that now have produced and released the The Fourth Edition of Office 365 for IT Pros. The book is regularly updated and adjusted to the ever-changing Office 365 Services. This is why there is no printed version of the book. It is available as eBook (PDF + EPUB) and is available in Amazon Kindle Store. Read more and get it here

My contribution is around the Skype for Business chapter and I explain the service from the basics, how to succeed with adoption and usage and dive in to understanding the core technology and optimizing for media quality. This is an evolving book and I will add content to the chapter as new features gets released and as more E5 features becomes mainstream.

The authors, proud to be part of the team

Personally I like the format of the book because it is written by MVP’s that works with the technology every day and have a deep understanding of the underlying technology. I was first introduced to the book when trying to understand how Office 365 Groups works and had difficulty finding relevant and updated documentation on the internet. Reading the chapter on Office 365 Groups in the book helped me get an updated and correct understanding of the service and put it in context of other services in Office 365. This is why I recommend this book to all IT Pros working with Office 365 and needs a general understanding of the entire service.

The Essential Guide to Office 365 for IT Pros

Teaching productivity soft skills at MVP Connection in Madrid June 1st

MVPCommunityConnectionI am super excited to be picked out to teach productivity soft skills to the MVP’s and Regional Directors attending MVP Community Connection in Madrid June 1st. For the past year I have developed my OneNote productivity framework that I still use and succeed with. By borrowing and combining known productivity methodology such as take back your life, Getting Things Done and the Pomodoro Technique, I will talk about stuff you already know, but still need to be reminded of.

Why OneNote? There are three factors that works well for me with OneNote

  1. Flexible notetaking tool, you can paste anything anywhere and it works great with touch and pen.
  2. Syncs across devices through OneDrive with great apps for all operating systems including mobile.
  3. OneNote tasks are key and works the same on all devices so I easily can complete a task on my mobile.

It is all about getting a finite list of all your activities and thoughts so that you can prioritize and execute on the most important task at any given time. And the result? A happy life, and a productive life :) People who have tested the framework report back that a burden has been taken off their shoulders. Turns out that your mind is for having ideas, not holding them as David Allen says. By dumping everything in your head, you free up space to relax, enjoy the moment and focus on your current task at hand.

Learn how in my LifeHack OneNote session at MVP Community Connection



Proud to be contributing on the Fourth Edition of Office 365 for IT Pros book

I think that search engines are loosing their powers in an evergreen and ever changing Cloud World. When searching failed me for learning what I needed about Office 365 Groups I found that the Office 365 for IT Pros book had the angle and up to date answers I needed. It is kept up to date by MVPs who work with and understand the technology for what it is and what it’s not, so you know you get an up to date and thoughtful answer. It covers all of Office 365 with practical examples to get you started. I strongly believe in this format moving forward since it is difficult to search for Groups or Teams online, and when you find articles they are half a year old and may or may not be outdated. To make sure I stay up to date on my core knowledge, I offered my services to write about Skype for Business Online and hybrid. I am happy to be accepted in to the team with Tony Redmond, Michael Van Horenbeeck and Paul Cunningham. I look forward to contribute to a great collection of knowledge. The fourth edition is planned for a June 1st release, read more about it here

Totally recommend Office 365 for IT Pros if you are an Office 365 admin or consultant. Get it here


Microsoft Teams Preview and Office 365 Groups member mismatch and how to fix it

Office 365 Groups are at the core for next generation Office 365 services such as Planner, Microsoft Teams and Modern SharePoint Teamsites. At the time of writing (Teams preview before March 2017) I have discovered the following regarding Office 365 Groups and membership especially in an active Microsoft Teams environment, where you are adding new members directly in the Teams client.

The Short story

Microsoft Teams in preview (before march 2017) did not add new members to the Office 365 Groups in Exchange, only to the corresponding  Azure AD Group. The Azure AD Group is used to give access to SharePoint documents and adding a new Teams member gives access to the SharePoint Site. This would result in mismatch in member-count in these two groups that can be confusing for users when navigating around the different Office 365 Groups interfaces

The Long story, understanding the different groups

Creating Office 365 Groups

  • When creating an Office 365 Group a corresponding Azure AD Group also gets created
    • The Azure AD Group is used for Group write back with Azure AD Connect and permissions in SharePoint Teamsites
      • The Group write back option is only necessary if you have a hybrid Exchange environment and users hosted on-premises that needs to be able to resolve the distribution email address and its members
      • It may also be necessary for Skype for Business hybrid environments in order to be able to add the Office 365 Groups as group in the Skype contactlist
    • If you crate the Office 365 Group in GUI from Outlook, members gets added to that Azure AD Group
    • If you create the Office 365 Group using PowerShell with New-UnifiedGroup (this still applies post March 2017) and and use the -members option, members will not get added to the Azure AD Group and you get a mismatch in member count
      • New-UnifiedGroup -Members
      • Only the Office 365 Group Owner will get added to the Azure AD Group as member and this is an issue for the Group Write Back with AADC
      • A corresponding SharePoint TeamSite gets created with a member of the group with a SharePoint license logs on to either Office 365 Groups or creates a Microsoft Teams team
    • If you create the group in PowerShell and with New-UnifiedGroup without adding members and add the members using Add-UnifiedGroupLinks, then members will get added to the corresponding Azure AD Group
Recommended method to create Office 365 Groups via PowerShell

Make sure you are logged in to Exchange Online PowerShell before you start creating the group

$Owner = ""
$Users = "",""
$alias = "MyNewOffice365Group"
New-UnifiedGroup –DisplayName $alias –Alias $alias –EmailAddresses "$" -owner $Owner -Verbose
#This is optional, but may be a good practice initally since Office 365 Groups may clutter your Global Addressbook
Set-UnifiedGroup –Identity $alias –HiddenFromAddressListsEnabled $true
#Add the member to the group
Add-UnifiedGroupLinks $alias -LinkType member -Links $users
#Validate that the members where added ok
Get-UnifiedGroupLinks $alias -LinkType member
#If you want to validate that the AD group is updated ok, run the script below without $alias=$null

Adding members to existing Office 365 Groups

  • Adding members using the Exchange Online cmdlet Add-UnifiedGroupLinks results in users getting added to both the Office 365 Group and Azure AD Group, all is good
    • If this is also a Microsoft Teams enabled group then the members will get added to the team as well within 24 hours (or so)
  • Adding members using the web UI as a user results in users getting added to both the Office 365 Group and Azure AD Group, all is good
  • Adding members from the SharePoint Teamsite UI resulted (before March 2017) in users only getting added to the Azure AD Group and you have a mismatch of user count between Azure AD and Office 365
  • Adding users from the Microsoft Teams client (before March 2017) would result in users only getting added to the Azure AD Group that gives full write access to all the corresponding SharePont Teamsite documents
    • This resulted in a mismatch between Azure AD Group and Office 365 Group and if users are expect to see the group under Groups in Outlook they will not
    • You would also get a mismatch in the memberlist in Microsoft Teams and Office 365 Groups on the web
      • if the user tried to access the Exchange components of the group they will get added to the memberlist, but not until they actively add the group or go via SharePoint Teamsite to the groupconversation button on the top right corner


  • If you are not a member of the Office 365 Group, you are not a part of the distribution group and you will not get see the Group in either Outlook or Outlook Web App
  • If you are not added to the Azure AD Group you will not be part of the group that gets synced back to Active Directory and part of the on-premises distribution group for users hosted on Exchange Server
  • If you are not part of the Azure AD Group you will not be visible in the Graph API as there is not way to resolve member from an Office 365 Group via the API, only members from the corresponding Azure AD Group (at the time of writing, may change in the future)


  • Add the member in the web UI for Groups then it will get added to the Exchange part and Azure AD part of the Office 365 Group
  • Detect and remedy the different user memberships using PowerShell by detecting and adding the missing users to either Office 365 Groups or Azure AD Group

How to detect mismatch in member-count in Office 365 Groups and Azure AD Group

Below is a simple example on how to list all the groups that have a member-count mismatch between Office 365 Groups and Azure AD Groups. It is always the Azure AD group that has the most and correct set of members so that is why we add those members to the Exchange part of the Office 365 Group.

Before you run the example you need to install the latest MSOnline PowerShell V1 module and be logged in to Exchange Online PowerShell module

Find all groups with mismatch in member-count
#find groups that have mismatching member-count in Office 365 groups and Azure AD groups
$Groups = @()
#Get all Office 365 Groups
$UnifiedGroup = get-unifiedgroup $alias
    ForEach ($Group in $UnifiedGroup){
        #Get the members of the group
        $UnifiedGroupLink=Get-UnifiedGroupLinks -Identity $ -LinkType member | Select-Object -ExpandProperty PrimarySmtpAddress
        #If there are members in the group, check the corresponding Azure AD Group and find the members. Add the result in custom Powershell object
        if (($UnifiedGroupLink).count -ne 0){
            $AADGroup= Get-MsolGroup -GroupType DistributionList -All | Where-Object {$_.Emailaddress -eq $Group.PrimarySmtpAddress}
            $TempGroups = @()
            $TempGroups = New-Object PSObject -Property @{
                O365Members= $UnifiedGroupLink
                O365membercount= ($UnifiedGroupLink).count
                AADmembers=Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress
                AADmembercount=(Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress).count
            #If there is a mismatch in the membercount, add the group to the final output variable and write the group to the console
            if($TempGroups.O365membercount -ne $TempGroups.AADmembercount){$Groups += $TempGroups; $TempGroups}
#list all groups with mismatch
#count the number of groups with a mismatch
Write-Host "Number of groups mismatching groups"($Groups).count
List all the members not present in the Office 365 Group
#Find all members that are present i the Azure AD group and needs to be added to the Office 365 Group
foreach ($CurrentGroup in $Groups){
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers

Add the missing members to the Office 365 Group
#Add the users from the Azure AD group to the Office 365 group, the users added will not get a welcome mail.
foreach ($CurrentGroup in $Groups){
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers
    Add-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member -Links $NewMembers -Verbose
    Get-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member


Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here


Using Lync Mobile with Office 365 and Lync Online

Now that the Lync Mobile Client is released it is important to enable your Office 365 Lync Online domain to support these clients. This blog post will specify what you need to do

Lync Mobile features

Lync mobile client is released for Windows Phone 7, iPhone, iPad, Android and later on Nokia (Symbian). The feature set is about the same accross the platforms. There is no ability to view meeting content, video or do voice over IP. The main features is therefore

  • IM and presence
  • One Click join meetings (Requires audio conferencing provider)
  • View contacts

For a detailed feature list see the TechNet article:

Enable your domain for Lync Mobile automatic discovery

When using Lync Mobile over WiFi make sure you check the following

  • Open outbound port in firewall to TCP 5223 for Apple push notification
  • If you firewall proxy settings blocks SRV queries add
  • CNAME with your domain called and point it to to your internal DNS

Thats is. Should be a simple process. In order for this to work you need to have published the Lync Online service as depicted in this kb article:


Set up Lync mobile devices:
Deploying Lync Mobile Clients:
Ensuring Your Network Works With Lync Online:

Slides and interview from TechDays Norway 2011 is now available online

September 7 2011 I had the honour to attend and speak at TechDays Norway 2011. My sessions where about Office 365 and more specific Exchange Online and Lync Online. The slides and interview is in Norwegian. Continue reading

Change the default Calendar AccessRight on all mailboxes to Reviewer

Back in july 2010 I created a script to set the default AccessRight to Reviewer for Exchange 2010. This was a new feature for Exchange 2010 that we could use the command Set-MailboxFoldersPermission to change AccessRights on specific folders on the server level. As the calendar is a folder we now could do this organization wide using PowerShell.

The reason for creating this script is when migrating customers in Norway most of them want to allow everyone to use side by side calendaring in Outlook and Oulook Web App. In Exchange 2003/2007 we needed to instruct users how to set Default to Reviewer. This script sets it for all users. The script works for both Exchange Online and Exchange Server 2010. For Exchange 2007 check out this post on how to do it:

Get the script here:

What the script does

As the picture shows you get three menu items.

  1. Will set the permission on all users and resources
  2. Will set the permission on all users and reources created the last 30 days
  3. Will give a user you specify Editor access to a mailbox you specify
    • This is good for switchboard or secretary functions

How to run the script against an Exchange Online environment

  • Connect to Exchange Online through PowerShell Remoting
$cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
  • Set Execution Policy to unrestricted
Set-ExecutionPolicy Unrestricted
  • Run the script by copying the script, saving it as a ps1 file, navigate to it in PowerShell and start typing set-Cal and hit TAB to use TAB completion


Administering Microsoft Office 365 using Windows PowerShell: