13 years of blogging and 2 000 000 views

Today, January 26th 2023, I hit a huge milestone. 2 000 000 views since I started blogging in 2009. msunified.net has been the home for me to share technical nuggets about Exchange, OCS, Lync, Skype for Business, Teams and Microsoft 365 for over 13 years. I have even shared productivity tips which has culminated in to my Digital Wellbeing thinking. I want to reflect and share my 10 all time most visited blogposts, my 5 favorited blogposts, some external articles I have written and share what I am working on these days.

If you have found any of my articles useful at some point, give this article or the social media post you found this through a like 👍 :)

10 all time most viewed blogposts

My 5 favorite blogposts which I often use today

External articles I have written for other sites and Tech Community

Office 365 for IT Pros

For four years, between 2018 and 2022, I contributed to the calling and meetings chapter for Office 365 for IT Pros. I strongly believe in that format, because it gets updated monthly😱 Tony Redmond heads up that book and the author team does a fantastic job of keeping you up do date on best practices and technical facts in Office 365. Blogposts are seldom kept up to date and that is why you have seen less blogposts here these years, since they get outdated faster than you can type :) I recommend you go and buy a subscribtion to Office 365 for IT Pros right now👍

msunified.net moving forward and what I am currently working on

Do I think blogposts are still worth it today? yes and no. No for “how to” blogposts because learn.microsoft.com is so much better than Microsoft documentation has ever been. Maybe you would rather suggest a change to the learn article if you find information missing. Yes when you want to share a routine, script, your understanding and design principles. I would say no to opinion pieces on a personal blog, maybe you want to share those on LinkedIn or a third party blogsite

These days I work mainly in two areas

  • Digital Wellbeing and working smart with Microsoft 365 combined with Microsoft Viva
    • I published 8 hours of deep dive training for free on YouTube which are indexed here
    • I recently rebranded as a Digital Wellbeing coach delivering inspiration talks, keynotes, leadership training and organizational training based on my Digital Wellbeing thinking :)
    • I run workshops, proof of concepts and talk at conferences about Microsoft Viva
    • I am part of the #VivaExplorers an enthusiastic gang of over 60 MVPs who bring their own angle in to the broad world of Microsoft Viva thought leadership and understanding.
  • Complex hybrid deployment for Exchange/Skype for Business/Teams
    • I see larger more complex and risk averse companies stretching or migrating to Microsoft 365
    • In those more locked down environments we need to be more precise in knowing what works and how
    • These past years i have spent a lot of time as advisor and hands-on with hybrid Exchange solving problems like free/busy, Autodiscover, oauth, hybrid modern auth, Outlook Mobile and making sure nothing is more open than it should be, some of it resulted in this blogpost and I might blog more about troubleshooting these scenarios
    • Same for hybrid Skype for Business, but that is easier than hybrid Exchange, if you have gone down the route and set up a proper Edge server topology :)
  • Make sure you check out my YouTube channel to get my latest videos and talks I do that other channels shares

Thanks to everyone who visits my blog on a daily basis and I think I struck a nerve when blogging about Set the custom Focusing status in Microsoft Teams from PowerShell using Power Automate which is daily the most visited blogpost on my site :)

Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here


My TechNet Live Exchange 2010 Screencasts are Now Online at TechNet Edge

[tweetmeme source=”stalehansen” only_single=false]This year I got the honour to be the speaker at the Exchange track on TechNet Live in Norway. TechNet Live is hold in the four largest cities in Norway every year and this year it was about 1800 attendees for all the cities. Below are the Screencast from my sessions in Bergen. The presentations are in norwegian.

Session 1: Exchange 2010 Installation and Migration. Talks about:

  • Some new features in Exchange 2010
  • How to prepare before an installation
  • How to Migrate to Exchange 2010
  • How Client Access coexistence works
  • Gotchas during the first Exchange 2010 migrations
  • Download PDF

Session 2: Exchange 2010 Performance and Scalability. Talks about:

  • Memory and Processor requirements
  • Virtualization
  • Planning for Scalability
  • Some new High Availability features
  • Walks through some new HA scenarios for Exchange 2010
  • Download PDF


Install Exchange 2010 with latest update in Unattended Mode

[tweetmeme source=”stalehansen” only_single=false]If you are planning to install a new Microsoft Exchange Server 2010, you should probably consider installing the latest update before configuring any of the server roles.

The below guide is not written by me. I found it so useful that I want to repost it here on my blog for later reference. This guide is written by Elie Bou Issa and the original article can be found here:  http://blog.elieb.info/2010/03/06/exchange-2010-with-ur2-installation-in-unattended-mode.aspx

In the below scenario, we are installing the Mailbox role, the Client Access role and the Hub Transport role along with Update Rollup 2 in unattended mode. The exchange installation root folder is called exch and the Update Rollup 2 is placed under C:\Exchange2010\Patches. To install the exchange prerequisites, run “Exchange-Typical.xml” from the Scripts folder found in the installation directory. You can also take a look at this post for installing the prerequisites manually: https://msunified.net/2009/10/30/exchange-2010-prerequisites-on-server-2008-r2/
After successfully installing the prerequisites, set the NetTcpPortSharing service startup type to automatic by running the below command
Now, it is time to run the setup in unattended mode.
To do that, run the following command from the exchange installation directory:
Setup.com /m:Install /r:M,C,H /OrganizationName:Name of the Organization /UpdatesDir: Updates path 
If you wish to check the different options for unattended setup, you can refer to Install Exchange 2010 in Unattended Mode
After completing the installation, you can check the product version by clicking Help-> About from the Exchange Management Console as shown below:

Exchange and OCS Google custom search

Exchange and OCS Google custom searchI have created a Custom Search engine using Google custom search. I have set it up to only search the sites, blogs and technical resources that I have specified. I will use this search engine when troubleshooting and finding useful information. The point is to remove all the unnecessary hits you get from using the regular search engine and make sure I get hits from the brightest bloggers out there.

I have tried to collect good blogs and resources for Exchange and OCS and have made a list of the sites that are added. Try it out and please let me know if there are sites that should be in the search engine and I’ll add them.


Update 11.08.09: Added Exchange and OCS blogs from Pointbridge

Update 14.08.09 added the following blogs taken from the great collection over at the Communicatins Server Team:

Update 07.02.10 added the following blogs

Update 02.05.10 added the following blogs

Update 24.10.10 added the following blog

Allowing application servers to relay off Exchange Server 2007

To allow application servers to relay through your Exchange 2007 server do the following

  • Create a new internal receive connector in EMC
  • Add the servers that need to relay
  • When created edit the settings and navigate to Permission Groups
  • Select only Anonymous users, deselect other options
  • Navigate to the Authentication tab
  • Deselect every checkbox so that nothing is selected
  • Apply changes
  • Open EMS and run the following commandlet
  • Get-ReceiveConnector “InternalRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
  • Relay should now work for the selected servers

This information was based on this blog, http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Deleted Mailbox not appearing in Disconnected mailbox in Exchange 2007

[tweetmeme source=”stalehansen” only_single=false]Deleted mailboxes will appear in disconnected mailbox list, but it will not reflect immediately. You have to wait for online maintenance to run and complete.

If you accidentally delete mailbox and if you wanted to reconnect it back then you may not be able to find it Disconnected Mailbox. You have to  run Clean-MailboxDatabase to get the deleted mailbox. Also if you want to disconnect the mailbox to re-add it to an other user or the same user do the following:

  • Disable the mailbox in EMC
  • When you disable a mailbox the user object stays in AD and the mailbox is marked for deletion.
  • The disconnected mailbox should appear in the disconnected mailbox view
  • If it is not appearing in the disconnected mailbox view run one of the following commands from powershell

Clean-MailboxDatabase \servername\SGName\Store
Cleaning Database of Individual Store

Get-Mailboxdatabase | Clean-MailboxDatabase
Cleans all the database in the Organization

Get-Mailboxdatabase | Where{ $_.Server –eq “<servername>”}| clean-MailboxDatabase
Cleans all the database in the specific store

Get-Mailboxdaatabase | Where{ $_.Name –eq “<DatabaseName>”}| clean-MailboxDatabase
Cleans all the Database which matches the specific name given in Databasename

  • After the command completes, check the event viewer for the following  event ID’s
    • Event ID 9531 – the clean mailboxdatabase process has begun
    • Event ID 9533 – a user does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store  in after the retention time has passed
    • Event ID 9535 – the process completes and lists that the mailbox was retained in the store
  • Finally you should see it in the disconnected mailbox view and you can connect it to the same AD user or an other AD user.

This blog was based on smtpport25’s blog, http://smtpport25.wordpress.com/2009/04/22/deleted-mailbox-not-appearing-in-disconnected-mailbox-in-exchange-2007/

If you need to restore the mailbox because it is not retained in the mailbox store, see these great sites for restore guide using Recovery Storage Groups

Request certificate using Exchange Management Shell

If you use the self-signed certificate assigned by the Exchange server itself there is a simple process to renew the certificate. You will typically get a note in the event viewer when the certificate is about to expire. Here’s a great blog that explains the process: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

  • Create a request using EMS with this command
  • New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
  • Open the req file, and copy everything except
  • Navigate to you CA server using the following url: http://CA-server/certsrv
  • click “request a certificate” and then select “advanced certificate request”
  • click  “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
  • past the content in the “saved request” window
  • hit submit
    •  If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
    • Restart the certificate service and IIS
  • click “download certificate chain” and save the file
  • On the exchange server import the certificate
  • Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
  • Copy the thumbprint and enable the certificate for the selected services
  • Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
  • On the other servers import using IIS
  • On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

  • On the EDGE servers open EMS and do the following
  • Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
  • Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
  • You then have to re-establish the EDGE syncronizations with the new certificate
  • New-EdgeSubscription -FileName c:\newsub.xml
  • Copy the xml file to the internal servers
  • On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
  • To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
  • To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites

Get-MailboxDatabase oneliner

If you run the Get-MailboxDatabase commandlet with no switches it returns all the Exchange 2007 databases in the organization. If you are looking for a list of when each database had a full backup you need to use the -Status switch.

Get-MailboxDatabase -Status | Sort -Property LastFullBackup |ft Identity,LastFullBackup

This will return the Identity and the time for the last full backup of each database in sorted order. This is a useful list when doing maintenance in an Exchange organization.

If you need  a quick powershell script that dumps each Storage Group and its backup-related information visit the Exchangepedia Blog at: http://exchangepedia.com/blog/2008/09/script-get-storage-group-backup-status.html

Wrong version number on Exchange 2007 mailbox

I had a problem with a migrated user from Exchange 2003 to Exchange 2007 not showing the correct version number. It was not listed as Legacy Mailbox and it resided on a Exchange 2007 store. Running the get-mailbox command I saw that the version number on the mailbox was 0.0 and not 0.1 for Exchange 2007. Because of the mailbox being in this state the user could not connect to OWA. I got the following message:

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationException
Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later.
Current version of the object is 0.0 (6.5.6500.0).

To resolve this problem you need to correct the properties of the mailbox. Do this by running  the following commandlet  in Exchange Management Shell:

Set-Mailbox -Identity <user> -ApplyMandatoryProperties

View KB 931747 article over at Microsoft Support, http://support.microsoft.com/kb/931747