To connect SharePoint Online, SharePoint Online Management PowerShell to be installed on the client machine and it can be downloaded from the below location.

https://www.microsoft.com/en-in/download/details.aspx?id=35588

Once the SharePoint Online Management Shell installed, you can launch the SharePoint Online Management Shell and connect the SPO service using below options

Option 1: Using User Name and Password

  1. Store the credential to a variable

$Cred = Get-Credential –UserName admin@superhybridcloud.onmicrosoft.com –Message “Type your Password”

  1. Connect SPO Service

Connect-SPOService –Url https://superhybridcloud-admin.sharepoint.com –Credential $Cred

Option 2: Using MFA

Note: Passing user name and password as mentioned on Option1 won’t show an option to pass the MFA challenge. So if MFA enabled, use this Option.

  1. Connect SPO Service

Connect-SPOService -Url https://superhybridcloud-admin.sharepoint.com

Browser will be launched and it will ask for credential. Once the authentication successful it will trigger MFA prompt, once the MFA challenge successful, you will be connected to SPO service.

Connecting SharePoint Online PowerShell is easy Right. J

Configuring OWA session timeout is an important security measure that every organization should follow to keep Organizations data safe. Below the default session time out settings for Outlook Web Access (OWA) or Outlook on the Web (OotW).

OWA forms based authentication provides 2 option to choose whether you logged in from a Private or Public computer. OWA session time out depends on user’s selection.

  • If it is a Private computer – OWA session time out at 15 minutes of inactivity
  • If it is a Private computer – OWA session time out at 8 to 12 hours of inactivity

Make a note of the word 15 minutes of inactivity. Session will time out only when there is no activity at outlook web access.

Note: Typing something in meeting requests, appointments contacts, or tasks is not considered as an activity.

Your Corporate Security may advice you to configure a session time out based on the security concerns like every 15 minutes or two hours once etc. and to change the settings, you should have Organization Administrator rights in Exchange Online and you need to run the below command.

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutEnabled:$True -ActivityBasedAuthenticationTimeoutWit hSingleSignOnEnabled: $True -ActivityBasedAuthenticationTimeoutInterval 00:15:00

You have to wait for quite some time for the settings to replicate and You can run the below command to check the settings are properly configured.

Get-OrganizationConfig | fl Activity*

Ultimate aim of this post is that, when you are setting OWA session timeout for lesser interval and configured Azure Conditional Access Policy to trigger MFA when accessing Exchange Online Mailbox in OWA, users experience will be affected as every time they have to Key in MFA challenge when logging in OWA.

Educate your users about the 15 minutes OWA session time out settings and your MFA challenge settings and if they are the user where they will access only OWA to see their emails, then ask them to check the option not to prompt for MFA challenge for next 24 hours.

Again, if you think it is a security concern, discuss with your corporate security about the challenge and decide a solution considering user experience and security measures.

Hope this is informative and you like it.

Device Management in Azure AD is required to ensure the devices connecting to the cloud services are meeting the Company Security and Compliance Standards. If you have On-Premise Active Directory, computers related to that company are joined to that AD and administrators will have control to those AD joined devices like pushing group policies etc.

Joining a Computer to Azure Active Directory is similar to joining a computer to local active directory. Difference is Azure AD is in Cloud and when joining a machine to Azure AD, it provides additional capabilities like Single Sign On experience when accessing the applications and we can restrict access to those devices based on the Azure AD Join status using Azure Conditional Access.

Device Join to Azure Active Directory are three types:

  • Hybrid Azure AD Join: Device joined to On-Premise Active Directory and Azure Active Directory.
  • Azure AD Join: Device joined directly with Azure AD (not On-Premise AD Domain joined)
  • Azure AD Registered (Workplace Join): Device registered with Azure Active Directly like Windows 10 Personal and Mobile Devices.

During the Azure conditional access validation, all the above devices joined to azure are considered as domain joined devices and the respective settings will be applied.

Hybrid Azure AD Join in Windows 10

Windows 10 Device Registration process explained as

  1. Group Policy pushed to the machine starts the device registration with Azure AD
  2. Windows Device will query AD to get the information about the Azure AD Tenant
  3. Windows Device authenticates itself to Azure AD via ADFS to get a token for device registration
  4. Windows Device generates key pairs used for device registration
  5. Windows Device registers with Azure AD via Azure Device Registration Service.

Below the detailed explanation on how the Hybrid Azure AD Join works

We need to configure few things for Hybrid Azure AD Join to work properly like AD Connect deployment, Group Policy pushing and ADFS Issuance Transformation Rule etc… those prerequisites configuration steps not explained here. We will assume those are already set and will see the flow on how the Azure AD Join working in Windows 10 Machine.

  1. Group policy pushed to Windows 10 clients, which creates a task for the device registration to work and the task will be triggered.
  2. Windows 10 client queries AD (Service Connection Point object) which has the details about the Azure AD tenant to which the client has to connect. Azure AD Connect deployment will create those objects. I have highlighted the path for reference on the diagram.
  3. Azure AD Tenant information like the Azure AD name and the ID will be sent to Windows 10 Client.
  4. A hidden Internet browser is launched and the OAuth code authentication request is sent to Azure AD
  5. Azure AD redirects the client to authenticate with ADFS
  6. Client will reach ADFS by sending the computer account as identity, using Windows Integrated Authentication. Note: If the device is in Internet, then the authentication will fail because the WAP server will have form based authentication and you won’t know the prompt in hidden browser to authenticate.
  7. ADFS validates the computer identity with AD
  8. After the successful authentication, AD send the claim details to ADFS
  9. ADFS send a token along with 3 claims to Windows client, which the device will sent it to Azure AD for successful authentication
  10. Client sends the token along with 3 claims about the device received from ADFS to Azure AD
  11. Azure AD trust the token from ADFS server as it is already integrated and send a final token to Client for Azure Device Registration
  12. Device creates a Private/Public key pair to be used in a certificate-signing request from Azure DRS, to obtain the certificate that the device will use to authenticate to Azure AD later on. In addition, the task generates a second private/public key pair that is later used to bind the Primary Refresh Token (PRT) to the physical device upon authentication.
  13. Task send the Certification Signing Request along with final token received from Azure AD to Azure Device Registration Service.
  14. Azure DRS authorize the token, create a certificate, creates a Device object with its certificate thumbprint and return the certificate to the client.
  15. Client stores the certificate in the User My Store.

If you see above, the device registration is successful. For the Single Sign-On experience in Windows 10, the Primary Refresh Token will be received from Azure AD.

User sign-in to client using his credential, the Cloud Authentication Provider plug-in in windows client authenticates with Azure AD and ADFS, to obtain the Primary Refresh Token. Cloud Authentication Provider knows the Azure AD and ADFS details from the cache available during the Device Registration. Cloud AP plugin will directly send the credential to ADFS and get the SAML token and present it to Azure AD for authentication, Azure AD authenticates it and build a PRT with both User and Device claims and it will return to Window device.

I hope this is informative and you like it. Please comment for any clarification.

We saw how the moderation works in previous post… here we will see how the email moderation works in a Hybrid Exchange Environment.

Hybrid Exchange environment is a configuration/deployment that provides seamless experience for an Exchange Organization between an On-Premise Exchange Organization and Exchange Online in Office 365. So, 2 Exchange environment are combined to show as a single exchange organization. If you see the below environment, Company superhybirdcloud.com is having an Office 365 Tenant with the name superhybridcloud.onmicrosoft.com and mailboxes are available in both Exchange On-Premise and in Exchange Online with the Hybrid Configuration.

Arbitration Mailbox will be available in both the Exchange environment and based on the sender location, respective arbitration mailbox will process the email moderation and the moderator can be in Exchange On-Premise or Exchange online.

For this topic on how the E-Mail Moderation works in Hybrid Exchange Environment, we will see below 2 scenarios for better understanding.

  1. On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.
  2. Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange.

On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.

In this scenario, Arbitration Mailbox in On-Premise Exchange will do the Email Moderation. Below diagram explains the moderations flow when On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.

  1. On-Premise User send an email to Moderation enabled distribution group
  2. Categorizer identifies the email to be moderated and it will reroute the email to Arbitration Mailbox.
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Email from someguid@superhybridcloud.com arbitration mailbox sent to moderator with approve/reject option.
  4. Moderator mailbox is in Exchange Online and On-Premise Transport server will route the email to Exchange Online to approve/reject the email, and the moderator’s decision will be send back to someguid@superhybridcloud.com arbitration mailbox, which is in On-Premise.
  5. Store Drive component on the Transport Role will mark the Moderators decision on the copy email available in On-Premise Exchange Arbitration Mailbox
  6. Information assistant process the email based on the Moderator decision,

    6.a If the moderator approve the email, then the email will be delivered to the recipients (distribution group members). Members can be in On-Premise Exchange and Exchange Online, On-Premise transport server will resolve the recipient and deliver the email accordingly.

    6.b If the moderator reject the email, then the rejected notification will be sent to the sender.

  7. If moderator did not take any action, then the message will expire and message expiration notification will be sent to the Sender.

Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange

In this scenario, as you guessed… Arbitration Mailbox in Exchange Online will do the Email Moderation. As on date, this is not a working scenario and Microsoft Product Engineering Team working on it.

  1. Exchange Online User send an email to Moderation enabled distribution group. Since the Distribution Group objects along with Moderation details are synced from On-Premise Active Directory to Azure AD, DL moderation enabled details will be available in Exchange Online.
  2. Categorizer identifies the email to be moderated and it will reroute the email to Exchange Online Arbitration Mailbox with the email address someguid@superhybridcloud.onmicrosoft.com
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Exchange Online Arbitration mailbox (someguid@superhybridcloud.onmicrosoft.com) will send an email to On-Premise Exchange moderator with approve/reject option.
  4. Moderator mailbox is in Exchange On-Premise and the moderator’s decision will be send back to arbitration mailbox someguid@superhybridcloud.onmicrosoft.com, which is in Exchange Online.

Directory Based Edge Blocking is a feature in Exchange Online Protection where it will see whether Azure AD is having the recipient address available or not and if it is not available, EOP will drop the email.

Here on step 4, moderator approval or rejection email will be sent to Exchange Online Arbitration Mailbox with email address as someguid@superhybridcloud.onmicrosoft.com and if you see by default, this address will not be available in Azure AD. EOP will drop the email and next steps will not continue.

Microsoft Support Team is aware of this issue and they are working on permanent fix.

As a work around, if the moderator is in Exchange Online for the email sent from On-Premise Exchange and Exchange Online, the email moderation will work without any issues.

Post your comments if any details required.

How the E-Mail Moderation works?

December 15th, 2018 | Posted by admin in Exchange - (0 Comments)

E-Mail Moderation enables you to control messages sent to a group, where a moderator will approve or reject the email to group. E-Mail moderation plays an important role to allow sending email to large distribution group to avoid un wanted emails delivering to large audience.

We need to understand what is arbitration mailbox before looking at how the email moderations works. Exchange installation creates 5 different arbitration mailbox used for sytem purporse, Microsoft Exchange Approval Assistant arbitration mailbox handles the Email moderation.

Below diagram shows how the message moderation works in Exchange On-Premise.

  1. Sender send an email to a Moderation Enabled Distribution Group.
  2. Categorizer identifies the email to be moderated and it will reroute the email to Arbitration Mailbox.
  3. Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email
  4. Moderator will approve/reject the email, and the action will be send to arbitration mailbox
  5. Store Drive component on the Transport Role will mark the Moderators decision on the copy email available in Arbitration Mailbox
  6. Information assistant process the email based on the Moderator decision,

    6.a If the moderator approve the email, then the email will be delivered to the recipients (distribution group members)

    6.b If the moderator reject the email, then a rejected notification will be sent to the sender.

Note: If the moderator didn’t take an action to approve/reject the email, then the email will expire and the expiration notification will sent to the sender.

On the next blog, I will explain how the message moderation works in Hybrid Exchange Environment.

Let us assume that Exchange Hybrid Organization pointed its MX record to Office 365 or Exchange Online Protection, the mail flow works as shown in the below diagram.

In this article, we will see how the inbound and outbound flow works when the email routing configured to route through Exchange Online Protection.

Inbound Mail Flow

MX record point towards Office 365 Tenant -> Exchange Online Protection will receive the email and it will do the Recipient validation using Directory Based Edge Blocking, if the recipient is not available email will be dropped -> Anti-Virus scanning will occur, EOP has 3 AV engines -> Recipient resolution will occur like distribution group expansion -> Transport Rule will be applied, if any marked as SPAM using Transport rule then those emails will be quarantined -> Anti-Spam Protection will occur which includes, content scanning, outlook safe sender validation, URL blocking, bulk mail filtering, international spam filtering – > customer delivery pool and then to On-Premise Server.

Outbound Mail Flow

Office 365 or On-Premise user send an email -> Virus Scanning will occur -> Recipient Resolve -> Transport Rules -> SPAM Protection -> Outbound Delivery Pool -> Recipient MX resolution -> Recipient domain.

If an outbound email identified with high SPAM score, then it will delivered via high-risk delivery pool.

Above are the high level illustration of how the mail flow works in Office 365.

Office 365 Interview Questions and Answers

December 11th, 2018 | Posted by admin in Exchange - (1 Comments)

If you are looking for Office 365 Interview Questions and Answers, we can assist you in clearing your interview with real time Office 365 Interview questions and Answers. Please reach me @ Superhybrid.cloud@yahoo.com to get the document for a considerable fee.

It is prepared in a way that it helps you to gain 100% confidence to attend your Office 365 Administrator Interview and surely you will get selected if you go through all the Q&A.

All the best for your new job .