markwilson.it

Tag: Microsoft Office 365

  • Moving mailboxes to/from Exchange Online using the EAC

    One of the advantages with deploying Exchange Online in a hybrid configuration (i.e. Exchange on-premises and Office 365 Exchange Online in the cloud) is that you can easily move mailboxes back and forth.

    It can be done with PowerShell but one of the straightforward methods is from the Exchange Admin Center (EAC), where there’s an option (to the bottom right of the mailbox panel, under recipients in the Enterprise tab) to move a mailbox to Exchange Online, or to another database (locally), with most of the settings pre-populated for you (like the target mail domain or tenantname.mail.onmicrosoft.com).

    Moving back requires a slightly different process though and needs to be performed from the migration panel in the Office 365 tab of EAC.

    You’ll also need to know the name of the database you want to move the mailbox to on-premises, and the mail domain name.

    One of the challenges I found with moving mailboxes to/from Exchange Online using the EAC was that I sometimes see a migration batch marked as “Completed” but with 0 of 0 synced, 0 of 0 finalized, 0 failed.  This seems to happen if a previous mailbox move had failed; deleting the failed migration batch before re-attempting seems to allow the mailbox move to run successfully.

  • Configuring Lync hybrid (split domain) with Lync 2013 and Skype for Business Online

    Lync (now Skype for Business) is a bit of a mystery to me. Occasionally I get close enough to mess around the edges, but never to truly understand how it works. And when it dives off into telephony well, that’s another world…

    I did recently have to configure a Lync/Skype for Business Online hybrid (split domain) for a customer though, as part of their Office 365 project. It brought up a few challenges, but MVP Adam Jacobs has a really good step-by-step guide to enabling split-domain within Office 365 Lync Online.

    I described Lync Hybrid (split-domain) in a post for TechNet UK earlier this year – and I’ll stress again here that it’s not to be confused with Hybrid Voice… although there is plenty happening about Skype for Business and voice…

    Some people say ADFS is required but we had it working with Azure AD Sync (with password sync), so maybe not. The test system I was working on threw up its own set of challenges though so if you do follow what I found (with help from various colleagues including Martin Boam, Kevin Beacon and Mark Vale), your mileage may vary.

    The basic steps for configuring Lync hybrid (split domain) are:

    1. Make sure Office 365 is working, your directory is syncing and users have licenses assigned.
    2. Also, make sure that Skype for Business Online and Lync have the same configuration – i.e.:
      • Domain matching (if partner discovery is enabled on the on-premises deployment, then open federation must be configured for the online tenant; if partner discovery is not enabled, then closed federation must be configured for the online tenant).
      • Blocked domains.
      • Allowed domains.
    3. On the Lync Front End server (I was using Lync 2013 but you can use 2010 with the March 2013 update or later and the Lync 2013 administration tools deployed), configure the Edge server Set-CsAccessEdgeConfiguration -UseDnsSrvRouting -AllowOutsideUsers $true -AllowFederatedUsers $true -EnablePartnerDiscovery $true (you may need to adjust the setting for partner discovery, based on the domain matching above).
    4. Set up the hosting provider with New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root.
    5. Make sure you have the Skype for Business Online Windows PowerShell Module and also the Microsoft Office Online Sign In Assistant (MOS SIA) installed.
    6. Connect to Skype for Business Online.
      • If prompted for a target server, the URL is the same as when you access the Skype for Business Online Admin Center from the Office 365 portal. For me that was admin1e.online.lync.com.
      • You may also need the -AllowClobber switch when importing the session.
      • You may also find that you need to Import-Module SkypeOnlineConnector.
    7. Set up the shared namespace with: Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true.

    To move users to Skype for Business Online, all that’s needed is a single PowerShell command:

    Move-CsUser -Identity sip:alias@domainname.tld -Target sipfed.online.lync.com -Credential $creds -HostedMigrationOverrideUrl https://admin1e.online.lync.com/hostedmigration/hostedmigrationservice.svc -Confirm:$false

    (again, admin1e.online.lync.com works for me but might not for all tenants).

    To check for a successful move, either type Get-CsUser -Identity alias@domainname.tld or look in the Lync Control Panel. Office 365 users will show the home pool as LyncOnline and when you click though to the details, Lync will flag that the user is homed in Office 365:

    Configuring Lync hybrid (split domain): user homed in Office 365

    Further reading

    Other posts I found useful include MVP Paul Robichaux’s post on fixing the “Cannot find registrar pool” error for sipfed.online.lync.com (one of the issues I had, although my problems seemed to run deeper than Paul’s – I had to delete my hosting provider from the Lync Control Panel, then recreate it in PowerShell).

  • “Delivery has failed to these recipients or groups” when running Exchange in an Azure VM

    Exchange didn’t used to be supported in Azure. It is now, subject to specific requirements; however there’s a big difference between “supported” and “works” and it was always theoretically possible.

    My current customer has a test environment running on a number of Azure VMs. All was working well, until I started to test mail flow out of the organisation. My mailboxes (work and personal) are both on Office 365 and the reply came back as:

    Delivery has failed to these recipients or groups:

    Mark Wilson
    Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.

    The following organization rejected your message: DB3FFO11FD037.mail.protection.outlook.com.

    Basically, Exchange Online Protection was bouncing the mail. The error continued with diagnostic information for administrators and I could see that the message was leaving the organisation, then returning to the Exchange Edge server.

    I could also see in one of the messages that it said:

    “Remote Server returned ‘<DB3FFO11FD037.mail.protection.outlook.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.123.123.123] blocked using FBLW15; To request removal from this list please forward this message to delist@messaging.microsoft.com>’”

    So I emailed and asked to be removed, quickly receiving a very polite but understandably automated and non-committal response:

    “Hello ,
    Thank you for your delisting request SRX1234567890ID. Your ticket was received on (Aug 28 2015 12:26 AM UTC) and will be responded to within 24 hours.

    Our team will investigate the address that you have requested to be removed from our blocklist. If for any reason we are not able to remove your address, one of our technical support representatives will respond to you with additional information.

    Regards,
    Technical Support”

    Within 24 hours, Microsoft had responded to say that we had been delisted from their blocklists (presumably they checked that the IP address was one of theirs – which was also one reason why we couldn’t add a reverse DNS record, as one might expect with an SMTP server) and the mail had started to flow:

    “Hello ,
    Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1234567890, which was opened in regards to your delisting request for 123.123.123.123.

    The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.

    We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be re-added to our block list.

    Should you have any further questions or concerns, please feel free to respond to this email.

    Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.”

    I’m glad the experience was with a customer’s test environment, and not live email flow, but worth remembering for the future…

    [Ticket numbers and IP addresses in this scenario have been changed]

  • Control OneDrive for Business syncing to prevent data copies on non-domain-joined PCs

    One of the recently announced changes to Office 365 is the ability to better control OneDrive for Business. Specifically, it’s now possible to control OneDrive for Business syncing to prevent data from being copied to non-domain-joined PCs, based on a list of approved domains, as well as to change the storage limit for users (perhaps 1TB is just too much data and something more restrained might reduce the impact on your network). There are also some changes around the “Shared with Everyone” folder, which used to be created by default but isn’t anymore.

    The full details are in an Office Mechanics video, linked from a Microsoft blog post but I recently had the chance to try them out for real.

    Step 1 was to determine the ObjectGuid for each of the domains in my customer’s Active Directory Forest, using Active Directory PowerShell:

    $domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -identity $d | Select ObjectGuid}

    Step 2 is to connect to Office 365 using PowerShell:

    $cred=Get-Credential
    connect-sposervice –url https://tenantname-admin.sharepoint.com/ –credential $cred

    Step 3 is to take the ObjectGuid from step 1 and use the Set-SPOTenantSyncClientRestriction cmdlet to restrict synchronisation:

    Set-SPOTenantSyncClientRestriction -enable -DomainGuids "a0083dbb-e136-4f48-a048-2ec3a4c40cab"

    It’s worth noting that, initially, this failed for me – SetSPOTenantSyncClientRestriction wasn’t a valid command in the version of the SharePoint Online Management Shell I had installed. I checked the version with Get-Module -ListAvailable | Format-List version, name and found I had version 15.0.4569.0 of Microsoft.Online.SharePoint.PowerShell. After updating to the latest version, I was at version 16.0.4316.0, which worked a treat:

    TenantRestrictionEnabled AllowedDomainList

    ———————— —————–

    True {a0083dbb-e136-4f48-a048-2ec3a4c40cab}

    It’s important to understand how the restrictions are enforced though:

    • Not only will OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list be blocked but all OneDrive for Business Mac Sync client requests will be blocked. This also means that a sync relationship will not be established unless they are joined to an allowed domain.
    • However:
      • Mobile clients are not blocked (there are separate MDM controls for this) and any files that have been previously been synced to the computer will not be deleted.
      • New or existing files added to the client will still be uploaded to the server and will not be blocked.
      • OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.

    Controlling the storage quota was a little more tricky. I found that I could use Get-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com to view the properties of a users’ OneDrive for Business site, but attempting to set the quota on the same site presented an error:

    Set-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com -StorageQuota 2048

    Set-SPOSite : Cannot get site https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com.
    At line:1 char:1
    + Set-SPOSite -Identity
    https://tenantname-my.sharepoint.com/personal/firstname_lastname …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
    + FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

    I haven’t fixed that yet, so I’ll be returning to the topic again soon, no-doubt…

    Post Script

    There is a known issue with domain joined PCs failing to sync OneDrive for Business, even when added to a safe list, which is fixed by the 12 May 2015 update for OneDrive for Business (see Microsoft knowledge base article 2986244).

  • Office 365 command line administration (redux)

    Every now and again, I find myself looking up the same things for Office 365 command line administration (i.e. using PowerShell), so it’s probably worth me writing them down in one post…

    Of course, a connection to Office 365 from PowerShell is a pre-requisite – although that’s a lot simpler now than it used to be as there’s no longer any need for the Microsoft Online Services Sign In Assistant (MOS SIA), just:

    Import-Module MSOnline
    $Credential = Get-Credential
    Connect-MsolService -credential $Credential

    If you’re doing this in a script, you might want to save the password as a secure string (as described in more detail by Kris Powell):

    (Get-Credential).Password | ConvertFrom-SecureString | Out-File Password.txt

    To use the secure string:

    $User = "alias@domainname.tld"
    $Pass = Get-Content "Password.txt" | ConvertTo-SecureString
    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass

    Then Connect-MsolService -credential $Credential as above.

    Setting a user password (and making sure you don’t need to force a change – one reason to do it from PowerShell rather than the web portal) involves:

    Set-MsolUserPassword -UserPrincipalName alias@domainname.tld -forcechangepassword $false -newpassword password

    And, if it’s a service account, turn off password expiry?

    Set-MsolUser -UserPrincipalName alias@domainname.tld -PasswordNeverExpires $true

     

  • Export transport rules from Exchange or Exchange Online

    After all my work last week creating Exchange transport rules for profanity, audio/video attachments, message encryption and more, I wanted to export the rules just in case they needed to be re-established.  Thanks to TechNet, I found the required PowerShell to export transport rules from Exchange or Exchange Online, which is:

    $file = Export-TransportRuleCollection
    Set-Content -Path "ExchangeOnlineRules.xml" -Value $file.FileData -Encoding Byte

    The resulting XML includes the New-TransportRule commands to re-create the rules if required (or the Import-TransportRuleCollection cmdlet can be used instead).

  • Getting to grips with Office 365 Message Encryption

    As part of my work this week with Exchange transport rules, I needed to recreate another facility that my customer has grown used to in Office 365 – the ability to selectively encrypt emails using keywords.

    This one turned out to be relatively straightforward – Office 365 Message Encryption has been around for a while now (it replaced Exchange Hosted Encryption) and I was able to use a transport rule to detect a phrase in the subject or body (“encrypt me please”) and apply Office 365 Message Encryption accordingly. I could equally have done this based on other criteria (for example, I suggest that any message marked as confidential and sent externally would be a good candidate).

    So, the rule is fairly simple:

    New-TransportRule -Name 'Encrypt email on request' -Comments ' ' -Mode Enforce -SubjectOrBodyContainsWords 'encrypt me please' -ApplyOME $true

    Office 365 Message Encryption needs Azure RMS

    The challenge for me was that I wasn’t creating it in PowerShell – I was using the Exchange Admin Center and the appropriate options weren’t visible. That’s because Office 365 Message Encryption needs Azure Rights Management Services (RMS) to be enabled, and it’s necessary to use the More Options link to expose the option to Modify the Message Security… from which it’s possible to Apply Office 365 Message Encryption.

    Unfortunately that still didn’t work and the resulting error message was:

    You can’t create a rule containing the ApplyOME or RemoveOME action because IRM licensing is disabled.

    It seems it’s not just a case of enabling RMS in the service settings. I also needed to run the following commands in PowerShell:

    Set-IRMConfiguration –RMSOnlineKeySharingLocation “https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc”

    (that’s the European command – there are alternative locations for other regions listed in the post I used to help me)

    Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
    Test-IRMConfiguration -RMSOnline

    (check everything passes)

    Set-IRMConfiguration -InternalLicensingEnabled $true

    With RMS/Information Rights Management (IRM) properly enabled I could create the rule as intended.

    Customising the experience

    Testing my rule was easy enough, but it’s also possible to customise the portal that recipients go to in order to read the encrypted message.

    This is all done in PowerShell, with some simple commands:

    Get-OMEConfiguration provides the current Office 365 Message Encryption configuration and to set the configuration to meet my requirements, I used:

    Set-OMEConfiguration -Identity "OME Configuration" -Image (Get-Content "markwilsonitlogo.png" -Encoding byte) -PortalText "markwilson.it Secure Email Portal" -EmailText "Encrypted message from markwilson.it"

    The tricky bit was working out how to provide the logo file as just the filename creates a PowerShell error and the Get-Content cmdlet has to be used to encode the file.

    Further reading

    Office 365 Message Encryption (and decryption) – steps – understanding, purchase options, configuration, branding and use.

  • Exchange transport rules to detect audio/video attachments

    After my fun creating a profanity filter for Exchange Online earlier this week, my attention turned to some of the other rules that my customer needed re-creating in preparation for the move to Office 365. Most were fairly straightforward blocks on certain domains/addresses or using the normal templates to prevent financial data from being leaked, etc. but then I found another one that I’d expect to be in included in Exchange Online Protection, but isn’t: copying any audio/video files emailed from within the organisation to a defined mailbox.

    The rule itself is quite simple, but the number of file extensions involved meant I actually needed 4 rules to avoid this error message:

    The rule can’t be created because it is too large. It has 9028 characters, and the maximum number of characters is 8192.

    Reduce the size, either by removing content, such as words or regular expressions, from the rule; or by removing conditions, exceptions, or actions from the rule.

    After chunking the attachment extensions, the final Exchange transport rules used to to detect audio/video attachments were:

    New-TransportRule "Notify Security if outbound email contains audio (1)" -AttachmentExtensionMatchesWords 'afc','vag','copy','vdj','sng','aob','act','ang','nra','hsb','rfl','sma','smp','syh','vyf','acm','at3','vmd','aimppl','nvf','saf','xfs','ins','alac','mod','omf','sfk','als','caf','gp5','wav','mp3','pla','abm','aup','wma','acd-zip','amxd','dmsa','dmse','emp','logicx','m4r','midi','ptx','rns','rx2','slp','trak','5xb','a2b','a2i','agr','akp','asd','bnk','bun','bww','csh','dfc','dsm','dtm','fev','flp','frg','g726','gsm','h5b','h5s','isma','krz','ksf','mbr','mmlp','mpga','mtp','musx','nkc','nkm','omg','pkf','r1m','rex','rip','rol','sbi','sfpack','smf','sseq','svd','syw','tg','u','uax','vpl','zvd','0.669','eop','mus','sf2','mid','ksd','aif','flp','oga','pcg','sty','dig','mscz','ogg','m3u','flac','sib','aiff','syx','zab','dss','gpk','xspf','mui','vlc','nbs','5xe','logic','minigsf','sd','sdat','wve','ins','cda','ram','aac','iff','nki','wave','wpk','dff','amr','3ga','dcf','aud','cwt','dls','ds2','flm','nsa','it','pcm','pho','q1','sns','sph','xwb','dsp','sam','u8','wand','ym','ac3','oma','sds','stm','acd','dsf','cpr','xa','m3u8','ftm','4mp','apl','cwp','cws','gpbank','gsflib','med','mo3','mx5','ply','qcp','rmj','w64','ahx','au','b4s','h0','h3e','hbb','hbs','ins','kit','kmp','ksc','mdl','mu3','phy','q2','sbg','sfap0','smp','toc','vgz','vmf','zpa','2sf','m4a','ds','nsf','sesx','ape','fls','mus','emx','pcast','dtshd','mmm','peak','vox','bmml','mscx','xmf','rtm','pls','sfl','xm','avastsounds','snd','voc','wax','wpp','ra','cdr','seq','gpx','au','aa','m4b','odm','mpa','amz','5xs','a2m','abc','acd-bak','adts','agm','aifc','alc','amf','band','bap','bdd','bidule','bwf','caff','cdda','cdlx','cdo','cel','cgrp','cidb','ckb','conform','cpt','cwb','dct','dewf','df2','dig','dm','dmf','dra','drg','dwd','efk','efq','efs','efv','emd','esps','f2r','f32','f3r','f4a','f64','fdp','fsb','fsc','fsm','ftm','ftmx','fzf','fzv','g721','gig','groove','gsf','h4b','hbe','igp','iti','koz','koz','kt3','la','lso','lwv','m4p','ma1','mdc','mgv','miniusf','mka','mmp','mmpz','mpc','mte','mti','mtm','mus','mux','narrative','nkb','nks','nkx','nml','note','nrt','nst','ntn','nwc','obw','okt','omx','ovw','pandora','pca','pek','pna','psm','ptm','pts','rax','rgrp','rmi','rmx','rng','rso','rti','s3i','sc2','scs11','sd2','sfz','sgp','smpx','sou','sppack','sprg','stap','sty','sxt','syn','td0','tta','txw','ult','uni','usf','usflib','ust','uw','uwf','vap','vc3','vmo','voxal','vpm','vpw','vrf','vsq','wfb','wfm','wfp','wow','wproj','wrk','wus','wut','wv','wvc','wwu','xmu','xrns','yookoo','adv','cmf','dmc','gmc','mp_','ppcx','sbk','sid','sng','vgm','6cm','8med','a52','al','d01','evr','fda' -GenerateIncidentReport security
    New-TransportRule "Notify Security if outbound email contains audio (2)" -AttachmentExtensionMatchesWords 'gsm','kin','mini2sf','pd','prg','record','rmf','tmc','tun','wyz','xp','xt','kar','vb','wem','adg','dts','kfn','pk','mxl','mtf','ncw','dw','igr','vce','ddt','k25','sf','dvf','aa3','adt','fpa','h5e''mpdp','ove','rbs','sd','slx','stx','swa','vsqx','w01','zpl','mmp','opus','ppc','rsf','sdt','wav','xa','xpf','xsb','brstm','tak','ptf','efa','g723','mmf','s3m','sap','vqf','2sflib','avr','ear','mp1','dcm','ay','zvr','pat','ams','cts','gbs','ics','k26','mp2','mts','myr','ots','psf','rsn','ses','shn','snd','a2p','a2t','a2w','ab','acp','ais','alaw','all','apf','aria','ariax','axa','bwg','c01','ckf','djr','efe','emy','erb','far','fti','gbproj','gym','h3b','h4e','hdp','iaa','imp','itls','its','jam','jam','kpl','kt2','l','lof','lqt','m','m1a','m2','minipsf','minipsf2','mogg','mpu','mt2','mux','mx3','mx4','mx5template','npl','ofr','ovw','pbf','pjunoxl','plst','pno','prg','psf1','psf2','psy','ptcop','pvc','rad','raw','rbs','rcy','rmm','rta','rts','rvx','s3z','sd2f','spx','sseq','ssnd','svq','svx','thx','tsp','ub','ulaw','v2m','vmf','vtx','wtpl','wtpt','xbmml','xmi','xmz','xsp','zgr','atrac','box','fzb','hmi','imf','sdx','aax','sb','cfa','mxmf','pac','d00','8svx','ams','wfd','msv','xi','nmsv','ase','awb','expressionmap','hma','hps','mlp','mzp','sfs','snd','tak','8cm','gm','lvp','bcs','bonk','cfxr','dwa','fff','gio','gio','gro','jo','jo-7z','ksm','ktp','minincsf','mt9','musa','muz','mwand','mws','nap','orc','pmpl','r','sdii','seg','snsf','sth','sti','stw','sw','swav','syn','tfmx','tm2','tm8','ulw','val','voi' -GenerateIncidentReport security
    New-TransportRule "Notify Security if outbound email contains video (1)" -AttachmentExtensionMatchesWords 'aep','dzp','viv','vro','mp4.infovid','scm','dir','rms','wlmp','dzm','mswmm','amc','psh','3gp','veg','sfd','trp','wpl','m2p','ntp','aaf','bdmv','d3v','dck','gcs','ivr','m21','mk3d','mproj','msdvd','rdb','rmp','rv','screenflow','sec','swt','trec','usm','vcpf','viewlet','xej','dnc','ivf','playlist','spl','wm','bik','swf','webm','dcr','mani','prproj','wp3','mkv','avi','fbr','gfp','srt','piv','3gp2','bu','mpeg','wmv','scc','meta','gvi','vob','m4v','aepx','dzt','ts','ism','swi','amx','m2ts','rec','rmd','vpj','g64','mmv','ifo','wve','cpi','vp6','mov','vsp','mp4','mpg','hdmov','fcp','ogm','sbk','vc1','vgz','wmx','xesc','zm3','bnp','k3g','lvix','vp3','bin','mob','dmx','kmv','flv','par','vid','rmvb','dcr','tp','xvid','mnv','str','asf','bdm','camproj','mxf','yuv','0.89','avchd','dat','m1pg','mvd','roq','tsp','wmmp','ddat','f4f','imovielibrary','lsx','proqc','qt','sbt','video','yog','f4v','mts','3gpp','3mm','r3d','dav','smv','ogv','nvc','h264','3g2','dvdmedia','fcproject','ismv','sqz','tix','clpi','f4p','fli','hdv','m2t','mvp','nsv','rsx','smk','thp','ttxt','inp','mvc','m15','0.264','lrv','mvp','wmd','camrec','dxr','divx','stx','aetx','vep','dv4','db2','mpeg4','pds','mod','aec','ajp','dv','sfera','dvr','pmf','ced','dash','rm','ale','avp','bsf','dmsm','dream','imovieproj','otrkey','3p2','arcut','avb','avv','bdt3','bmc','cine','cip','cmmtpl','cmrec','cst','d2v','dce','dmsd','dmss','dpa','evo','eyetv','fbz','flc','flh','fpdx','ftc','gts','hkm','imoviemobile','imovieproject','ircp','ismc','izz','izzy','jss','jts','jtv','kdenlive','m21','m2v','mj2','mp21','mpgindex','mpls','mpv','mse','mtv','mve','mxv','ncor','nuv','ogx','pac','photoshow','plproj','ppj','prel','prtl','pxv','qtl','qtz','rcd','rum','rvid','rvl','sdv','sedprj','seq','sfvidcap','siv','smi','svi','tda3mt','tivo','tp0','tpd','tpr','tvlayer','tvs','tvshow','usf','vbc','vcv','vdo','vdr','vfz','vlab','vtt','wcp','wvx','wxp','xfl','xlmv','y4m','zm1','zm2','exo','lrec','mp4v','mys','vcr','w32','am','aqt','cvc','gom','mpeg1','mpv2','orv','rmv','ssm','zeg','arf','moi','zmv','wtv','mjp','gifv','mpe','dpg','mpl','rcproject','amv','tod','60d','moff','mp2v','tdt','dvr-ms','bmk','asx','edl','smil','snagproj','cmmp','dv-avi','eye','mgv','mp21','pgi','pro','stl','xml','avs','box','int','irf','scn','sml','ismclip','avs','evo','smi','awlive','m4e','mpg2','tdx','vivo','movie','vf','3gpp2','psb','axm','cmproj','dmsd3d','dvx','ezt','ffm','mqv','mvy','vp7','xel','aet','anx','avc','avd','axv','bdt2','bs4','bvr','byu','camv','cmv','cx3','dlx','dmb','dmsm3d','fbr','fcarch','ffd','flx','gvp','iva','jmv','ktn','m1v','m2a','m4u','mjpg','mpsub','mvex','osp','pns','pro4dvd','pro5dvd','pssd','pva','qtch' -GenerateIncidentReport security
    New-TransportRule "Notify Security if outbound email contains video (2)" -AttachmentExtensionMatchesWords 'qtindex','qtm','rp','rts','theater','tid','tvrecording','vem','vfw','vix','vs4','vse','wot','xmv','mvb','nut','pjs','sec','0.787','ssf','mpl','clk','dif','vft','vmlt','anim','grasp','moov','pvr','vmlf','modd','bix','cel','dsy','gl','ivs','lsf','m75','mpf','msh','pmv','rmd','rts','scm','vdx' -GenerateIncidentReport security

    The file extension lists are taken from fileinfo.com (audio and video).

    It should also be noted that these rules are fairly simple – they are only looking at the file extension name and not the actual contents of the message.

  • Creating an Office 365 profanity filter (works for Exchange too)

    As part of recreating the rules that my customer currently has set up with a popular cloud-based message hygiene platform, I needed to create an Office 365 profanity filter for Exchange Online. Believe it or not, there isn’t one built into the product (it disappeared with BPOS) but you can do some interesting things with DLP classification rules and policies.

    I’d like to publish the exact steps here but I can’t, for commercial reasons. What I can do though is signpost some useful resources:

    Once you’ve created a policy you can apply it in PowerShell with:

    New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path ProfanityPolicy.xml -Encoding byte -ReadCount 0))

    If you need to update it then the cmdlet is Set-ClassificationRuleCollection and if you want to take it out again, Remove-ClassificationRuleCollection will do the trick.

    With the classification in place, you can create rules that use the policy. In my case, one to block emails containing sensitive content (i.e. a list of pre-defined words) and send an incident report to a defined mailbox.

    Even though I was working with Exchange Online (v15), the same process will work for Exchange Server 2013 and, presumably 2016 when it comes…

    Finally, one gotcha I found (well, it was a user error really):

    • I thought my rule wasn’t working. When I later logged into the shared mailbox that blocked messages were copied to, I found copies of the messages I’d been sending for quite a while. My confusion was because I’d been testing with Policy Tips (which seemed a bit hit and miss in OWA) and that doesn’t actually block the message (doh!). As soon as I enforced the rule, my rude messages started bouncing back as expected…

    NDR from message blocked by Office 365 profanity filter

  • An approach to enabling Office 365 features and functionality using group membership

    For large enterprises with a mature approach to IT services, the idea of managing access to features and functionality in Office 365 via a web portal is a step backwards. Service desk teams may be given specific instructions and limited access in order to carry out just the tasks that they need to. Arguably that’s not “may be given” but “should only be given”…

    One of my customers uses Active Directory groups to assign access to software – for example Project, or Visio – applications that are not universally available. We were talking about doing something similar for Office 365 features and functionality – i.e. adding a user to an Active Directory group to enable an element of their Office 365 subscription (the users are synchronised from the on premises AD to Azure AD).

    I suggested writing a PowerShell script to run as a scheduled task, querying the membership of a particular group, and then making the changes in Office 365 to enable particular features. We could use it, for example, to enable a feature like OneDrive for Business to just a sub-set of users; or to assign Project Online or Visio Online licenses.

    Well, it turns out I’m no innovator here and it’s already being done elsewhere – Office 365 MVP Johan Dahlbom has published his script at the 365 lab.  I haven’t run the script yet… but it certainly proves the concept and gives us a starting point…