How to link you another on-premise user to Azure AD object using immutableID(Hard Match)

Hello,

Now, with office 365 in Hybrid Mode we need to be able to addresse old scenario like:

User1 left the company and User2 need to be reconnected to user1 Office 365 User (onedrive,Mailbox,sharepoint,…)

User1 has been deleted and you want to reconnect a new User(User2) to the Office 365 User

User1 has been moved from domain1 to Domain2, for administrative reason a new User (User2) has been created in Domain2.

In order to address these scenarios but also the need to disconnect an office 365 user to on-premise user and reconnect another on-premise user in a Hybrid Environment,  we can use the following procedure called Hard Match:

Some additionnal information, in this list of scenario we are making the following assumptions:

  1. User1 and User2 are in the Same AD Forest, this is important because that s means the User will have two diferent ObjectGUID
  2. AD Connect version is matter now because the Hard Match may not work with every version of AD Connect.  Please check  AD Connect Fixes & Improvements
  3. AD Connect is used as Directory synchronization between On-premise AD and Azure AD (Ofice 365)
  4. AD Connect is using the ObjectGUID as SourceAnchor (ImmutableID)
  5.  the environment is running Exchange 2013 RU11

Now, please find the step by step to disconnect and reconnect an user to Office 365 using Hard Match:

  1.  Information regarding User and environment:
    • User1 will be Source\User1
      • User1 UPN: User1@company.com
      • Source User1 has a Remote Mailbox (Office 365 Mailbox)
    • User2 will be Destination\User2
      • is not sync to Cloud
  2. Update Source\User1 Attributes:
    • Mail
    • TargetAddress
    • UPN: in this Procedure User2 will use the User1 UPN because PrimaryEmail Address has to match will the UPN. FYI we can only have one User1@company.com as UPN in this forest. so the UPN will have to be changed. So we will change User1@company.com to #User1@company.com so this UPN can be assign to Destination\User2.
    • ProxyAddresses: Save the ProxyAddresses Attribute then clear.
  3. Disable Source\User1 Remote Mailbox
  4. remove Source\User1 from AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
    • Wait for a Delta sync Cycle to be completed
  5. Disable Source User
  6. Restore MSOL User (Source\User1:User1@company.com )
    • Restore MSOL User(User1@company.com)
    • Set Restored MSOL User (User1@company.com) with immutableID to Null
    • Calculate Destination User (Destination\User2) ImmutableID
    • Set ImmutableID of MSOL User (User1@company.com) to ImmutableID of Destination User (Destination\User2)
    • Change MSOL User UPN to  User1@company.onmicrosoft.com
    • Delete MSOL User (User1@company.onmicrosoft.com)
  7. Update Destination\User2 Attributes
    • Update Destination User2 to match Source\User1 Attributes
    • Update Destination\User2 UPN to User1@company.com ( Please be sure to wait for AD Replication to occur, or it will failed if it found a user with same UPN in the forest)
    • Enable Destination User
  8. Add Destination\User2 to AD Connect Sync Scope
    • Update Attribute use by AD Connect to Sync or No Sync a user to office 365
  9. Enable Remote mailbox for Destination\User2
    • Enable Remote Mailbox for Destination\User2
    • Reattach the Archive mailbox to Office 365 mailbox (if previously attach to Source\User1)
    • Assign the ProxyAddress previously set for Source\User1
    • Update TargetAddress
  10. When complete wait for AD Connect Sync Cycle ( I will recommand to run at least 2 cycle, some time the hard Match is not working at the first Sync)

Important Information, while using this procedure you need to be aware between step 3 and Step 10, the mailbox is disabled so NDR will be receive if you try to send a mail to Office 365 mailbox. so the downtine will be :

  1.  1 AD Connect Sync Cycle for Step 3 to wait for:
    • Wait for Delta Sync, Default setting: 30 min
    • Wait for Delta Sync Cycle to completed (running time): Less than 30 min
  2. 2 AD Connect Sync Cycle for Step 10 to wait for

So with the default configuration of AD Connect, the Maximum downtine if you are not able to start a Delta Sync will be  3 hours.

 

This Article will be updated with Powershell CMDLets.

 

How to calculate immutableID using Powersell

I have been writting script for onboarding and I have faced some issue, involving ImmutableID. the ImmutableID is the unique identifier create by your directory synchronization. it s a conversion of the ObjectGUID Attribute of your object.

So please find how to calculate the immutableID  based:

First I you have to retreive the Object GUID using :

$User = Get-ADuser $UserSamAccount -Properties * -server $DC

$ImmutableID = [system.convert]::ToBase64String(([GUID]($User.ObjectGUID)).tobytearray())

 

 

How to Check if your Server ADFS environment is using SQL or WID

Please find a powershell CMDLet will help to find out if your AD FS environment is using SQL or WID:

Get-WmiObject -class SecurityTokenService -namespace root/ADFS | select-object ConfigurationDatabaseConnectionString

  • For WID, we are expecting:

ConfigurationDatabaseConnectionString
————————————-
Data Source=np:\\.\pipe\
microsoft##WID\tsql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

  • For SQL we expecting:

ConfigurationDatabaseConnectionString
————————————-
Data Source=\\.\pipe\
mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

How to Migrate from Exchange 2013 Hybrid Server (Onboarding using Migration Batch)

This script has been create to Migrate user from Exchange environment using Exchange 2013 Server as Hybrid Server. These 2 Script has been create to migrate user to the cloud using Migration Batch. These script will use a Users.csv file as input to create the Migration Batch. This CSV file need only the PrimarySMTPAddress of the user you want to migration to Office 365. every other information will be retreived, like the user UPN.

information need to be updated on this script will be:

  • Office 365 Global Admin UserName
  • Notification email Address to receive an email when the migration batch is completed
  • UsageLocation
  • Hybrid Server name (FQDN)
  • License SKU (using Get-MsolAccountSku)
  • Your target Domain (your .onmicrosoft.com

Sync v2.0.ps1

when you successfully run this script, you can the following script to complete the migration batch. if not complete the mailflow will be switch to office 365 and Migration batch will keep update the mailbox between both Organization (Office 365 & On-premise)

Complete.ps1

How to Update the Schema for Exchange 2013/2016

Some Exchange Rollup or Cumulative update required a Schema Update. Please find how  I proceed

Before begin

  1. Be sure you are a member of the following security groups:
    • Schema Admins
    • Enterprise admins
  2. Check the AD replication is working properly
  3. Check the current version of Exchange using the following Script: Retrieve_Exchange_Version_From_AD.ps1

Extend the Schema (AD)

  1. Connected on Domain member server, which is on
    Same AD domain and Site as the Schema Master
  2. Run the following Command can be run from
    extracted Exchange Installation Files:
    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
    (Schema and Domain can be updated from Exchange DVD\ Service Pack, Cumulative Update)
  3. After Setup finished extending the schema, you will need to wait while Active Directory replicates the changes to all of your DCs
  4. You can check if the replication is completed using the following script: Retrieve_Exchange_Version_From_AD.ps1

We are expecting the Exchange attribute to update with the new version
of the Schema. Please refer to the following links to find the Expected version of Exchange after install your CU or SP:

  1. Exchange 2013:
  2. Exchange 2016:
  3. Exchange 2010 and Legacy Version:

Prepare AD

During this step, we will update and create Exchange Containers and others objects in AD:

The Schema need to be fully update and replicated to run this step.

  1. Open a CMD prompt and go to where you download the Exchange Installation Files
  2. Run the following command: Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTerms
  3. Wait for the replication to occur between all your DCs.
  4. Verify the Domain has been Prepared using the following script:   Retrieve_Exchange_Version_From_AD.ps1

Prepare All Domains

During this step, we will update and create Exchange Containers and others objects in AD in the remaining domains in the forest:

  1. The /PrepareAD need to be replicated to run this step.
  2. Open a CMD prompt and go to where you downloaded the Exchange Installation Files
  3. Run the following command:  Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms
  4. Wait for replication
  5. Verify the PrepareAllDomain has been run successfully using the following script: Retrieve_Exchange_Version_From_AD.ps1

Sources:

  1. Exchange 2010 and Legacy Version:
  2. Exchange 2013:
  3. Exchange 2016:

 

 

 

How to connect to Office 365(Exchange Online) using Windows Powershell

     1.  Software Requirements

Install the 64-bit version of the Microsoft Online Services Sign-in Assistant: Link

Install the 64-bit version of the Windows Azure AD Module for Windows PowerShell: Link

2.  Retreive the credential from a user with sufficient permission (Global admin for example)

# Update the
credential with the appropriate UPN (UserName)

$credential = Get-Credential
-credential
GlobalAdmin@Tenant.onmicrosoft.com

3.  Import Office 365 Module

# Import the Office
365 module

Import-Module MsOnline

4.  Connect to office 365

# Connect to office
365 using the Credential previous provided

Connect-MsolService
-Credential
$credential

5.  Create and import Exchange PS  ssession

# Create a PS
Session to Exchange Online

$ExchangeModule=New-PSSession
-ConfigurationName Microsoft.Exchange -ConnectionUri “
https://ps.outlook.com/powershell” -Credential $Credential -Authentication “basic” -AllowRedirection

# Import the PS
Session Previously (allowing use of previous PS session with same Name)

 Import-PSSession $ExchangeModule -DisableNameChecking
-AllowClobber

 

Please find how to use this script:

 Please find a copy of the script:Connect_to_O365.ps1

Option 1: Launch the script while need to
connect to office 365

Before please be sure the requirements are set (
Softwares and Execution policy)

 image001

Option 2: you can update your Powershell Profile with a function

 

1.  Create a function

 

Function Connect-ExchangeOnline {

# Update the credential with the appropriate UPN (UserName)

$credential = Get-Credential -credential lobalAdmin@tenant.onmicrosoft.com

# Import the Office 365 module

Import-Module MsOnline

# Connect to office 365 using the Credential previous provided

Connect-MsolService -Credential $credential

# Create a PS Session to Exchange Online

$ExchangeModule = New-PSSession -ConfigurationName Microsoft.Exchange`

-ConnectionUri https://ps.outlook.com/powershell -Credential $Credential `

-Authentication “basic” -AllowRedirection

# Import the PS Session Previously

# (allowing use of previous PS session with same Name)

Import-PSSession $ExchangeModule -DisableNameChecking -AllowClobber

}

2.  Open your Powershell Profile

a.  Open windows Powershell

b.  Type $Profile this will give the location of your
powershell profile:

 image002

3.  open the Microsoft.Powershell_Profile.ps1 with any
text editor ( in this case Notepad)

 image003

d.  Copy the function and save the change

 

3.  Re-open Windows Powershell then type the function
name Connect-ExchangeOnline

image004

Provide your Office 365 Tenant Admin Credential and now you are
connect to Exchange Online using Windows Powershell.

 

 image005

Continue reading “How to connect to Office 365(Exchange Online) using Windows Powershell”

How to – Add & Check Remote IP range for Specific Receive Connector using PowerShell (PS1 with Comments)

This script has been create to Check and Add Remote IP Ranges on Receive Connectors for Exchange 2010/2013/2016.By making a remote connection to the exchange exchange server. We can check if an Ip Address as been added to a specific Receive connector
or we can add a specific IP Address toReceive connector

Add_Check_RemoteIP.ps1