Deleted SharePoint Online Site collections will be available in recycled state for 30 days and the deleted SharePoint site collection will be permanently deleted. Using SharePoint Online PowerShell, we can view the deleted SharePoint Site collection and restore the deleted SharePoint Site Collection.

To view the deleted SharePoint Site Collection, we can run the below command

Get-SPODeletedSite

Status of the deleted site will show like recycled

Get-SPODeletedSite | FL Status, DaysRemaining

To view the deleted OneDrive Personal Site

Get-SPODeletedSite –IncludePersonalSite:$True

To Restore the deleted SharePoint Online Site Collection, we can run the below command

Restore-SPODeletedSite -Identity https://superhybridcloud.sharepoint.com/sites/specialpay

Hope this post is informative. Leave your comments if any assistance required.

OneDrive for Business Online report helps organization to view the OneDrive Usage details and if any sharing capabilities are restricted or allowed only to few domains, then the OneDrive for Business Online report shows the details on, to which domain sharing capabilities enabled for a User.

Connect to SPO Service in PowerShell and run the below command to generate one drive details

-IncludePersonalSite Parameter shows only the personal site (OneDrive sites) details in the SharePoint Online Tenant.

If you are having more than 200 users in your organization, then you need to run the below command to get all the OneDrive site details. By default, only 200 users details will be pulled.

In addition, we can pass a filter like below and export the results to CSV file

Output file will look like below

You can do a filter and see the required results on the output.

We may have a requirement to see the OneDrive site details of a user, we can see the details of the OneDrive site for the user in PowerShell by using the below command.

Get-SPOSite -Identity https://superhybridcloud-my.sharepoint.com/personal/Raj_superhybridcloud_com

Identity of an OneDrive site will be like below in SharePoint Online. You can construct your OneDrive site collection Url by referring the below

https://superhybridcloud-my.sharepoint.com/ – Tenant Name followed by my.sharepoint.com

/personal/ – it is a personal site collection

/Raj_superhybridcloud_com – User Principal Name of a user like ID@companyname.com, and we need to call it as id_domainname_com

Identity = https://superhybridcloud-my.sharepoint.com/personal/Raj_superhybridcloud_com

In addition, we can view the full details about the one drive site of a user using below command.

Get-SPOSite -Identity https://superhybridcloud-my.sharepoint.com/personal/Raj_superhybridcloud_com | fl

Hope this is informative J

Generating report on SharePoint Online Site collection is easy, you can run the below command to export the report.

Connect to SharePoint Online Management PowerShell and run the below command

Get-SPOSite -Limit All | export-csv C:\Temp\SPOsite.csv -NoTypeInformation

Output will be like below and you can filter based on your requirement

All the information about the Site collections in your tenant will be available in the output.

We can quickly view the SharePoint online management shell version using below command

Get-Module *Sharepoint* | fl

In addition, we can see the version number of this file to know the SharePoint Online Management Shell

C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.PowerShell.dll

Why it is required?

Microsoft may say that few things will work only on a particular PowerShell version. So better to know which version of the SharePoint Online Management shell you are using.

To connect SharePoint Online, SharePoint Online Management PowerShell to be installed on the client machine and it can be downloaded from the below location.

https://www.microsoft.com/en-in/download/details.aspx?id=35588

Once the SharePoint Online Management Shell installed, you can launch the SharePoint Online Management Shell and connect the SPO service using below options

Option 1: Using User Name and Password

  1. Store the credential to a variable

$Cred = Get-Credential –UserName admin@superhybridcloud.onmicrosoft.com –Message “Type your Password”

  1. Connect SPO Service

Connect-SPOService –Url https://superhybridcloud-admin.sharepoint.com –Credential $Cred

Option 2: Using MFA

Note: Passing user name and password as mentioned on Option1 won’t show an option to pass the MFA challenge. So if MFA enabled, use this Option.

  1. Connect SPO Service

Connect-SPOService -Url https://superhybridcloud-admin.sharepoint.com

Browser will be launched and it will ask for credential. Once the authentication successful it will trigger MFA prompt, once the MFA challenge successful, you will be connected to SPO service.

Connecting SharePoint Online PowerShell is easy Right. J

Configuring OWA session timeout is an important security measure that every organization should follow to keep Organizations data safe. Below the default session time out settings for Outlook Web Access (OWA) or Outlook on the Web (OotW).

OWA forms based authentication provides 2 option to choose whether you logged in from a Private or Public computer. OWA session time out depends on user’s selection.

  • If it is a Private computer – OWA session time out at 15 minutes of inactivity
  • If it is a Private computer – OWA session time out at 8 to 12 hours of inactivity

Make a note of the word 15 minutes of inactivity. Session will time out only when there is no activity at outlook web access.

Note: Typing something in meeting requests, appointments contacts, or tasks is not considered as an activity.

Your Corporate Security may advice you to configure a session time out based on the security concerns like every 15 minutes or two hours once etc. and to change the settings, you should have Organization Administrator rights in Exchange Online and you need to run the below command.

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutEnabled:$True -ActivityBasedAuthenticationTimeoutWit hSingleSignOnEnabled: $True -ActivityBasedAuthenticationTimeoutInterval 00:15:00

You have to wait for quite some time for the settings to replicate and You can run the below command to check the settings are properly configured.

Get-OrganizationConfig | fl Activity*

Ultimate aim of this post is that, when you are setting OWA session timeout for lesser interval and configured Azure Conditional Access Policy to trigger MFA when accessing Exchange Online Mailbox in OWA, users experience will be affected as every time they have to Key in MFA challenge when logging in OWA.

Educate your users about the 15 minutes OWA session time out settings and your MFA challenge settings and if they are the user where they will access only OWA to see their emails, then ask them to check the option not to prompt for MFA challenge for next 24 hours.

Again, if you think it is a security concern, discuss with your corporate security about the challenge and decide a solution considering user experience and security measures.

Hope this is informative and you like it.

Device Management in Azure AD is required to ensure the devices connecting to the cloud services are meeting the Company Security and Compliance Standards. If you have On-Premise Active Directory, computers related to that company are joined to that AD and administrators will have control to those AD joined devices like pushing group policies etc.

Joining a Computer to Azure Active Directory is similar to joining a computer to local active directory. Difference is Azure AD is in Cloud and when joining a machine to Azure AD, it provides additional capabilities like Single Sign On experience when accessing the applications and we can restrict access to those devices based on the Azure AD Join status using Azure Conditional Access.

Device Join to Azure Active Directory are three types:

  • Hybrid Azure AD Join: Device joined to On-Premise Active Directory and Azure Active Directory.
  • Azure AD Join: Device joined directly with Azure AD (not On-Premise AD Domain joined)
  • Azure AD Registered (Workplace Join): Device registered with Azure Active Directly like Windows 10 Personal and Mobile Devices.

During the Azure conditional access validation, all the above devices joined to azure are considered as domain joined devices and the respective settings will be applied.

Hybrid Azure AD Join in Windows 10

Windows 10 Device Registration process explained as

  1. Group Policy pushed to the machine starts the device registration with Azure AD
  2. Windows Device will query AD to get the information about the Azure AD Tenant
  3. Windows Device authenticates itself to Azure AD via ADFS to get a token for device registration
  4. Windows Device generates key pairs used for device registration
  5. Windows Device registers with Azure AD via Azure Device Registration Service.

Below the detailed explanation on how the Hybrid Azure AD Join works

We need to configure few things for Hybrid Azure AD Join to work properly like AD Connect deployment, Group Policy pushing and ADFS Issuance Transformation Rule etc… those prerequisites configuration steps not explained here. We will assume those are already set and will see the flow on how the Azure AD Join working in Windows 10 Machine.

  1. Group policy pushed to Windows 10 clients, which creates a task for the device registration to work and the task will be triggered.
  2. Windows 10 client queries AD (Service Connection Point object) which has the details about the Azure AD tenant to which the client has to connect. Azure AD Connect deployment will create those objects. I have highlighted the path for reference on the diagram.
  3. Azure AD Tenant information like the Azure AD name and the ID will be sent to Windows 10 Client.
  4. A hidden Internet browser is launched and the OAuth code authentication request is sent to Azure AD
  5. Azure AD redirects the client to authenticate with ADFS
  6. Client will reach ADFS by sending the computer account as identity, using Windows Integrated Authentication. Note: If the device is in Internet, then the authentication will fail because the WAP server will have form based authentication and you won’t know the prompt in hidden browser to authenticate.
  7. ADFS validates the computer identity with AD
  8. After the successful authentication, AD send the claim details to ADFS
  9. ADFS send a token along with 3 claims to Windows client, which the device will sent it to Azure AD for successful authentication
  10. Client sends the token along with 3 claims about the device received from ADFS to Azure AD
  11. Azure AD trust the token from ADFS server as it is already integrated and send a final token to Client for Azure Device Registration
  12. Device creates a Private/Public key pair to be used in a certificate-signing request from Azure DRS, to obtain the certificate that the device will use to authenticate to Azure AD later on. In addition, the task generates a second private/public key pair that is later used to bind the Primary Refresh Token (PRT) to the physical device upon authentication.
  13. Task send the Certification Signing Request along with final token received from Azure AD to Azure Device Registration Service.
  14. Azure DRS authorize the token, create a certificate, creates a Device object with its certificate thumbprint and return the certificate to the client.
  15. Client stores the certificate in the User My Store.

If you see above, the device registration is successful. For the Single Sign-On experience in Windows 10, the Primary Refresh Token will be received from Azure AD.

User sign-in to client using his credential, the Cloud Authentication Provider plug-in in windows client authenticates with Azure AD and ADFS, to obtain the Primary Refresh Token. Cloud Authentication Provider knows the Azure AD and ADFS details from the cache available during the Device Registration. Cloud AP plugin will directly send the credential to ADFS and get the SAML token and present it to Azure AD for authentication, Azure AD authenticates it and build a PRT with both User and Device claims and it will return to Window device.

I hope this is informative and you like it. Please comment for any clarification.

We saw how the moderation works in previous post… here we will see how the email moderation works in a Hybrid Exchange Environment.

Hybrid Exchange environment is a configuration/deployment that provides seamless experience for an Exchange Organization between an On-Premise Exchange Organization and Exchange Online in Office 365. So, 2 Exchange environment are combined to show as a single exchange organization. If you see the below environment, Company superhybirdcloud.com is having an Office 365 Tenant with the name superhybridcloud.onmicrosoft.com and mailboxes are available in both Exchange On-Premise and in Exchange Online with the Hybrid Configuration.

Arbitration Mailbox will be available in both the Exchange environment and based on the sender location, respective arbitration mailbox will process the email moderation and the moderator can be in Exchange On-Premise or Exchange online.

For this topic on how the E-Mail Moderation works in Hybrid Exchange Environment, we will see below 2 scenarios for better understanding.

  1. On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.
  2. Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange.

On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.

In this scenario, Arbitration Mailbox in On-Premise Exchange will do the Email Moderation. Below diagram explains the moderations flow when On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.

  1. On-Premise User send an email to Moderation enabled distribution group
  2. Categorizer identifies the email to be moderated and it will reroute the email to Arbitration Mailbox.
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Email from someguid@superhybridcloud.com arbitration mailbox sent to moderator with approve/reject option.
  4. Moderator mailbox is in Exchange Online and On-Premise Transport server will route the email to Exchange Online to approve/reject the email, and the moderator’s decision will be send back to someguid@superhybridcloud.com arbitration mailbox, which is in On-Premise.
  5. Store Drive component on the Transport Role will mark the Moderators decision on the copy email available in On-Premise Exchange Arbitration Mailbox
  6. Information assistant process the email based on the Moderator decision,

    6.a If the moderator approve the email, then the email will be delivered to the recipients (distribution group members). Members can be in On-Premise Exchange and Exchange Online, On-Premise transport server will resolve the recipient and deliver the email accordingly.

    6.b If the moderator reject the email, then the rejected notification will be sent to the sender.

  7. If moderator did not take any action, then the message will expire and message expiration notification will be sent to the Sender.

Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange

In this scenario, as you guessed… Arbitration Mailbox in Exchange Online will do the Email Moderation. As on date, this is not a working scenario and Microsoft Product Engineering Team working on it.

  1. Exchange Online User send an email to Moderation enabled distribution group. Since the Distribution Group objects along with Moderation details are synced from On-Premise Active Directory to Azure AD, DL moderation enabled details will be available in Exchange Online.
  2. Categorizer identifies the email to be moderated and it will reroute the email to Exchange Online Arbitration Mailbox with the email address someguid@superhybridcloud.onmicrosoft.com
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Exchange Online Arbitration mailbox (someguid@superhybridcloud.onmicrosoft.com) will send an email to On-Premise Exchange moderator with approve/reject option.
  4. Moderator mailbox is in Exchange On-Premise and the moderator’s decision will be send back to arbitration mailbox someguid@superhybridcloud.onmicrosoft.com, which is in Exchange Online.

Directory Based Edge Blocking is a feature in Exchange Online Protection where it will see whether Azure AD is having the recipient address available or not and if it is not available, EOP will drop the email.

Here on step 4, moderator approval or rejection email will be sent to Exchange Online Arbitration Mailbox with email address as someguid@superhybridcloud.onmicrosoft.com and if you see by default, this address will not be available in Azure AD. EOP will drop the email and next steps will not continue.

Microsoft Support Team is aware of this issue and they are working on permanent fix.

As a work around, if the moderator is in Exchange Online for the email sent from On-Premise Exchange and Exchange Online, the email moderation will work without any issues.

Post your comments if any details required.

How the E-Mail Moderation works?

December 15th, 2018 | Posted by admin in Exchange - (0 Comments)

E-Mail Moderation enables you to control messages sent to a group, where a moderator will approve or reject the email to group. E-Mail moderation plays an important role to allow sending email to large distribution group to avoid un wanted emails delivering to large audience.

We need to understand what is arbitration mailbox before looking at how the email moderations works. Exchange installation creates 5 different arbitration mailbox used for sytem purporse, Microsoft Exchange Approval Assistant arbitration mailbox handles the Email moderation.

Below diagram shows how the message moderation works in Exchange On-Premise.

  1. Sender send an email to a Moderation Enabled Distribution Group.
  2. Categorizer identifies the email to be moderated and it will reroute the email to Arbitration Mailbox.
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email
  4. Moderator will approve/reject the email, and the action will be send to arbitration mailbox
  5. Store Drive component on the Transport Role will mark the Moderators decision on the copy email available in Arbitration Mailbox
  6. Information assistant process the email based on the Moderator decision,

    6.a If the moderator approve the email, then the email will be delivered to the recipients (distribution group members)

    6.b If the moderator reject the email, then a rejected notification will be sent to the sender.

Note: If the moderator didn’t take an action to approve/reject the email, then the email will expire and the expiration notification will sent to the sender.

On the next blog, I will explain how the message moderation works in Hybrid Exchange Environment.