Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here

mfastalehansen

My TechNet Live Exchange 2010 Screencasts are Now Online at TechNet Edge

[tweetmeme source=”stalehansen” only_single=false]This year I got the honour to be the speaker at the Exchange track on TechNet Live in Norway. TechNet Live is hold in the four largest cities in Norway every year and this year it was about 1800 attendees for all the cities. Below are the Screencast from my sessions in Bergen. The presentations are in norwegian.

Session 1: Exchange 2010 Installation and Migration. Talks about:

  • Some new features in Exchange 2010
  • How to prepare before an installation
  • How to Migrate to Exchange 2010
  • How Client Access coexistence works
  • Gotchas during the first Exchange 2010 migrations
  • Download PDF

Session 2: Exchange 2010 Performance and Scalability. Talks about:

  • Memory and Processor requirements
  • Virtualization
  • Planning for Scalability
  • Some new High Availability features
  • Walks through some new HA scenarios for Exchange 2010
  • Download PDF

 

Install Exchange 2010 with latest update in Unattended Mode

[tweetmeme source=”stalehansen” only_single=false]If you are planning to install a new Microsoft Exchange Server 2010, you should probably consider installing the latest update before configuring any of the server roles.

The below guide is not written by me. I found it so useful that I want to repost it here on my blog for later reference. This guide is written by Elie Bou Issa and the original article can be found here:  http://blog.elieb.info/2010/03/06/exchange-2010-with-ur2-installation-in-unattended-mode.aspx

In the below scenario, we are installing the Mailbox role, the Client Access role and the Hub Transport role along with Update Rollup 2 in unattended mode. The exchange installation root folder is called exch and the Update Rollup 2 is placed under C:\Exchange2010\Patches. To install the exchange prerequisites, run “Exchange-Typical.xml” from the Scripts folder found in the installation directory. You can also take a look at this post for installing the prerequisites manually: https://msunified.net/2009/10/30/exchange-2010-prerequisites-on-server-2008-r2/
 
After successfully installing the prerequisites, set the NetTcpPortSharing service startup type to automatic by running the below command
Now, it is time to run the setup in unattended mode.
To do that, run the following command from the exchange installation directory:
Setup.com /m:Install /r:M,C,H /OrganizationName:Name of the Organization /UpdatesDir: Updates path 
If you wish to check the different options for unattended setup, you can refer to Install Exchange 2010 in Unattended Mode
After completing the installation, you can check the product version by clicking Help-> About from the Exchange Management Console as shown below:

Exchange and OCS Google custom search

Exchange and OCS Google custom searchI have created a Custom Search engine using Google custom search. I have set it up to only search the sites, blogs and technical resources that I have specified. I will use this search engine when troubleshooting and finding useful information. The point is to remove all the unnecessary hits you get from using the regular search engine and make sure I get hits from the brightest bloggers out there.

I have tried to collect good blogs and resources for Exchange and OCS and have made a list of the sites that are added. Try it out and please let me know if there are sites that should be in the search engine and I’ll add them.

http://anewmessagehasarrived.blogspot.com/
http://aspoc.net/
http://blog.insideocs.com/
http://blog.tiensivu.com/aaron/
http://blogs.3sharp.com/deving/
http://blog.misthos.com/
http://blogs.msdn.com/byrons/
http://blogs.msdn.com/dgoldman/
http://blogs.msdn.com/douggowans/
http://blogs.pointbridge.com/Blogs/schertz_jeff/pages/
http://blogs.technet.com/benw/
http://blogs.technet.com/evand/
http://blogs.technet.com/jenstr/
http://blogs.technet.com/jkunert/
http://blogs.technet.com/mfugatt/
http://blogs.technet.com/scottschnoll/
http://blogs.technet.com/themasterblog/
http://blogs.technet.com/toml/
http://blogs.technet.com/uc/
http://cacorner.blogspot.com/
http://cmcgreanor.wordpress.com/
http://communicationsserverteam.com/
http://communicatorteam.com/
http://edge.technet.com/Tags/Exchange/
http://edge.technet.com/Tags/OCS/
http://evangelyze.net/cs/blogs/mike/
http://exchangeinbox.com/
http://exchangeshare.wordpress.com/
http://gsexdev.blogspot.com/
http://mostlyexchange.blogspot.com/
http://msexchangeteam.com/
http://msexchangetips.blogspot.com/
http://msgoodies.blogspot.com/
https://msunified.net/
http://ocsguy.com/
http://smtp25.blogspot.com/
http://social.microsoft.com/Forums/en-US/communicationsserver/
http://social.technet.microsoft.com/Forums/en-US/exchange/
http://social.technet.microsoft.com/Forums/en-US/exchange2010/
http://social.technet.microsoft.com/Forums/en-US/exrca/threads/
http://technet.microsoft.com/en-gb/library/
http://theessentialexchange.com/blogs/michael/
http://theucguy.wordpress.com/
http://unified-communications.blogspot.com/
http://waveformation.com/
http://www.exchangepedia.com/blog/
http://www.msexchange.org/
http://www.ocspedia.com/
http://www.outlook-web-access.com/
http://www.petri.co.il/
http://www.robichaux.net/blog/
http://www.shudnow.net/
http://www.telnetport25.com/
http://www.viveksharma.com/techlog/

Update 11.08.09: Added Exchange and OCS blogs from Pointbridge
http://blogs.pointbridge.com/Blogs/mcgillen_matt/pages/
http://blogs.pointbridge.com/Blogs/steele_aaron/Pages/
http://blogs.pointbridge.com/Blogs/nielsen_travis/pages/
http://blogs.pointbridge.com/Blogs/enger_erik/pages/
http://blogs.pointbridge.com/Blogs/greve_david/pages/

Update 14.08.09 added the following blogs taken from the great collection over at the Communicatins Server Team:
http://blogs.msdn.com/midunn/
http://blogs.msdn.com/scottos/default.aspx
http://blogs.technet.com/brettjo/default.aspx
http://blogs.technet.com/dodeitte/default.aspx
http://blogs.technet.com/dougl/
http://blogs.technet.com/gclark/default.aspx
http://blogs.technet.com/jitreddy/
http://blogs.technet.com/jkruse/default.aspx
http://blogs.technet.com/kpalmvig/
http://blogs.technet.com/msukucc/
http://blogs.technet.com/perez/default.aspx
http://blogs.technet.com/ramo/
http://blogs.technet.com/rickva/default.aspx
http://blogs.technet.com/ucedsg/default.aspx
http://chrislehr.com/blog.htm
http://www.cinline.se/
http://it-proknowledge.blogspot.com/
http://msmvps.com/blogs/andersonpatricio/default.aspx
http://msmvps.com/blogs/ehlo/default.aspx
http://russkirk.typepad.com/
http://servusinc.org/myblog/
http://unifiedcommunications.mindsharpblogs.com/RussK/default.aspx
http://www.exchange-genie.com/
http://www.leedesmond.com/weblog/
http://www.technotesblog.com/
http://www.unifysquare.com/blog/

Update 07.02.10 added the following blogs
http://www.msexchangeguru.com
http://www.msexchangegeek.com
http://www.nitingupta.in/blogs
http://howtoexchange.wordpress.com/

Update 02.05.10 added the following blogs
http://www.mikepfeiffer.net
http://sysadmin-talk.org/

Update 24.10.10 added the following blog
http://blog.schertz.name/
http://marjuss.wordpress.com/

Allowing application servers to relay off Exchange Server 2007

To allow application servers to relay through your Exchange 2007 server do the following

  • Create a new internal receive connector in EMC
  • Add the servers that need to relay
  • When created edit the settings and navigate to Permission Groups
  • Select only Anonymous users, deselect other options
  • Navigate to the Authentication tab
  • Deselect every checkbox so that nothing is selected
  • Apply changes
  • Open EMS and run the following commandlet
  • Get-ReceiveConnector “InternalRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
  • Relay should now work for the selected servers

This information was based on this blog, http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Deleted Mailbox not appearing in Disconnected mailbox in Exchange 2007

[tweetmeme source=”stalehansen” only_single=false]Deleted mailboxes will appear in disconnected mailbox list, but it will not reflect immediately. You have to wait for online maintenance to run and complete.

If you accidentally delete mailbox and if you wanted to reconnect it back then you may not be able to find it Disconnected Mailbox. You have to  run Clean-MailboxDatabase to get the deleted mailbox. Also if you want to disconnect the mailbox to re-add it to an other user or the same user do the following:

  • Disable the mailbox in EMC
  • When you disable a mailbox the user object stays in AD and the mailbox is marked for deletion.
  • The disconnected mailbox should appear in the disconnected mailbox view
  • If it is not appearing in the disconnected mailbox view run one of the following commands from powershell

Clean-MailboxDatabase \servername\SGName\Store
Cleaning Database of Individual Store

Get-Mailboxdatabase | Clean-MailboxDatabase
Cleans all the database in the Organization

Get-Mailboxdatabase | Where{ $_.Server –eq “<servername>”}| clean-MailboxDatabase
Cleans all the database in the specific store

Get-Mailboxdaatabase | Where{ $_.Name –eq “<DatabaseName>”}| clean-MailboxDatabase
Cleans all the Database which matches the specific name given in Databasename

  • After the command completes, check the event viewer for the following  event ID’s
    • Event ID 9531 – the clean mailboxdatabase process has begun
    • Event ID 9533 – a user does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store  in after the retention time has passed
    • Event ID 9535 – the process completes and lists that the mailbox was retained in the store
  • Finally you should see it in the disconnected mailbox view and you can connect it to the same AD user or an other AD user.

This blog was based on smtpport25’s blog, http://smtpport25.wordpress.com/2009/04/22/deleted-mailbox-not-appearing-in-disconnected-mailbox-in-exchange-2007/


If you need to restore the mailbox because it is not retained in the mailbox store, see these great sites for restore guide using Recovery Storage Groups
http://www.petri.co.il/using_rsg_in_exchange_2007.html
http://www.msexchange.org/tutorials/Working-Recovery-Storage-Groups-Exchange-2007.html

Request certificate using Exchange Management Shell

If you use the self-signed certificate assigned by the Exchange server itself there is a simple process to renew the certificate. You will typically get a note in the event viewer when the certificate is about to expire. Here’s a great blog that explains the process: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

  • Create a request using EMS with this command
  • New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
  • Open the req file, and copy everything except
  • —–BEGIN NEW CERTIFICATE REQUEST—–
  • —–END NEW CERTIFICATE REQUEST—–
  • Navigate to you CA server using the following url: http://CA-server/certsrv
  • click “request a certificate” and then select “advanced certificate request”
  • click  “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
  • past the content in the “saved request” window
  • hit submit
    •  If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
    • CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    • Restart the certificate service and IIS
  • click “download certificate chain” and save the file
  • On the exchange server import the certificate
  • Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
  • Copy the thumbprint and enable the certificate for the selected services
  • Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
  • On the other servers import using IIS
  • On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

  • On the EDGE servers open EMS and do the following
  • Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
  • Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
  • You then have to re-establish the EDGE syncronizations with the new certificate
  • New-EdgeSubscription -FileName c:\newsub.xml
  • Copy the xml file to the internal servers
  • On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
  • To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
  • To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
http://www.exchangeinbox.com/article.aspx?i=114
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Get-MailboxDatabase oneliner

If you run the Get-MailboxDatabase commandlet with no switches it returns all the Exchange 2007 databases in the organization. If you are looking for a list of when each database had a full backup you need to use the -Status switch.

Get-MailboxDatabase -Status | Sort -Property LastFullBackup |ft Identity,LastFullBackup

This will return the Identity and the time for the last full backup of each database in sorted order. This is a useful list when doing maintenance in an Exchange organization.

If you need  a quick powershell script that dumps each Storage Group and its backup-related information visit the Exchangepedia Blog at: http://exchangepedia.com/blog/2008/09/script-get-storage-group-backup-status.html

Wrong version number on Exchange 2007 mailbox

I had a problem with a migrated user from Exchange 2003 to Exchange 2007 not showing the correct version number. It was not listed as Legacy Mailbox and it resided on a Exchange 2007 store. Running the get-mailbox command I saw that the version number on the mailbox was 0.0 and not 0.1 for Exchange 2007. Because of the mailbox being in this state the user could not connect to OWA. I got the following message:

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationException
Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later.
Current version of the object is 0.0 (6.5.6500.0).

To resolve this problem you need to correct the properties of the mailbox. Do this by running  the following commandlet  in Exchange Management Shell:

Set-Mailbox -Identity <user> -ApplyMandatoryProperties

View KB 931747 article over at Microsoft Support, http://support.microsoft.com/kb/931747

Exchange 2010 Database Availability Groups

I found a post at Henrik Walther Blog over at MSExchange.org that talk about DAG. http://blogs.msexchange.org/walther/2009/04/18/exchange-2010-database-availability-groups/

It is one of the most interesting new features in Exchange 2010. Here is a list of the new DAG functionality from the blog. 

  • The new Database Availability Group (DAG) HA/site resilience feature replaces CCR/SCR/LCR
  • Also note that SCC has been deprecated/cut with Exchange 2010
  • DAG built on the functionality we know from CCR and SCR, that is it still uses asynchronous log shipping and replay etc
  • An interesting thing about DAGs is that you’re no longer required to form a cluster before you install the MBX server role
  • The limited cluster features that are used by DAGs (primarily cluster heartbeat and quorum) are configured automatically when adding the first MBX server to the DAG and thereby more or less invisible to the administrator
  • With DAG you can have up to 16 copies of a Mailbox database
  • In addition, you can also have other Exchange 2010 server roles such as HT and CAS installed on the MBX server which is member of a DAG
  • Also, you can have DAG members located on different subnets and in separate AD sites

This image over at MSExchange.org describes very well the most important changes in the EMS for administrators regarding DAG.