In a previous post, I showed how you could update one user’s photo for their Outlook and AD profiles via PowerShell. In this post, we will explore how to do this for your entire organization via PowerShell to Office365.
NOTE: I have not tested the scripts as I do not have enough mailboxes in my O365 tenant along with not using a ‘.’ in my alias. If the scripts are incorrect, please inform me with the correction and I will update accordingly.
Please make sure that your photos are reviewed before posting, and try to keep the file size of the photos to a minimum. In Office 365, there exists a limitation for the user photo not to be more than 10 KB in size, but I will show you how to get around that limitation.
Having a user photo for each of your users is very beneficial as it personalizes each account to a face in the company. The user photos can be viewed in below locations:
Outlook Web Access
Contact Card
Thumbnail in emails
Outlook Client
Yammer
Lync Client
SharePoint (People Search / Newsfeed)
Steps to take:
Remove the 10KB photo size limitation in Exchange Online
Prepare a folder with all users photos
Update the profile photos via a PowerShell cmdlet.
Connect to Exchange Online with the RPS Proxy Method to remove the 10K size limitation
Connect to Exchange Online PowerShell removing the 10K limitation
NOTE: In the PowerShell cmdlet above, we connected using a different proxy method. This was to overwrite the limitation of uploading the images with size more than 10KB. Using the different proxy method (/?proxyMethod=RPS ) to connect to Office 365 in the above cmdlet accomplishes this.
Prepare a folder locally and place all the photos in that folder
Create a folder named C:/UserPics and make the filename of each photo be the username of that particular user. (i.e. llingerfelt.png) The below script should be able account for aliases that have a ‘.’ in the id as well. (i.e. lance.lingerfelt)
NOTE: From my research, there is no set photo type that is required for the photo. My suggestion would be to keep the photos .png for size constraints while maintaining picture clarity.
Update the profile pictures via PowerShell
Create the following script and name it Photos-Update.ps1
Run Photos-Update.ps1 and the script should upload the photos to Office 365 and apply each photo to the corresponding user.
NOTE: If you’re still having some issues with the alias having a ‘.’ in the name, you can also configure the Photos-Update.ps1 script in this manner to get that working properly:
I wanted to update my picture within my Outlook profile and AD account really quickly without having to go through OWA to do so. I found this cmdlet that will allow for that picture to be changed very quickly via Exchange PowerShell.
NOTE: This can be done with On-Premises Exchange and Exchange Online PowerShell
Old picture within my account
First, download the picture you want to use to the computer that you want to run the cmdlet from. Also, make sure the picture is cropped and centered prior to running the cmdlet. I saved the pic to C:\temp for my scenario. The best format to use would be jpg. I named the file User1_Profile.jpg
Next, open Exchange PowerShell on the computer you saved the pic to and run the following cmdlet to change the photo:
Wanted to do a quick post as I was working on my Hybrid Exchange Environment. I was unable to get the HCW to download and start from the Exchange Control Panel with the link provided on the page. This has happened to me for a while, so I went online and found a link that would work that could be downloaded and reused to open the HCW:
I get a lot of these incidents in my queue after a user has been migrated to O365. For whatever reason, most likely due to the mailbox being moved itself, whether it is the user’s mailbox, the shared mailbox, or both, the connections to the shared mailboxes stop working in Outlook and the user cannot connect to the shared mailbox.
Here is a quick and easy solution to use to disconnect and reconnect the shared mailbox(es) that you lose connectivity to when migrated. This is usually performed on Outlook 2016 and above as most users upgrade their client software when moved to O365.
First, we remove the existing shared mailbox connection:
Click the File > Account Settings > Account Settings.
Select your company email address in the account list.
Click Change > More Settings > Advanced tab > Select the Shared Mailbox > Remove
Click Apply > OK > Next > Finish.
The shared mailbox will now automatically be removed in your Folder pane in Outlook.
Second, we re-add the shared mailbox connection to Outlook:
Click the File > Account Settings > Account Settings.
Select your company email address in the account list.
Click Change > More Settings > Advanced tab > Add
Type the name of the shared mailbox in the window and click OK.
Click Apply > OK > Next > Finish.
The shared mailbox will now automatically be added to your Folder List pane within Outlook.
Note: The above procedure must be followed in order to properly reconnect the shared mailbox. You cannot remove and re-add the mailbox in the same process as that will not reset the connection properly. You must save the settings when disconnecting.
I hope that this will assist everyone when troubleshooting Outlook connectivity issues to shared mailboxes after a migration.
As many of you have knowledge, I am studying for my MS-202 Exam. And, part of the knowledge needed is to be able to migrate mailboxes between on premises and Exchange Online through PowerShell. Here are the steps for the scenario to move a mailbox from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1
$OnPremCred=Get-Credential-Message"Enter the On Premises Exchange Migration Admin account creds"
3. Move a single mailbox.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved. Now we initiate the move with the cmdlet. Similar to what you would do in the GUI, this simple mailbox move cmdlet initiates the move request. It has most of the same parameters as a local move request including BadItemLimit, LargeItemLimit, AcceptLargeDataLoss, etc…
Use the following LINK for documentation on the New-MoveRequest cmdlet.
Move a single on premises mailbox to O365
1
2
3
4
5
6
7
8
#Set the identity of the mailbox being moved
$user=Read-Host"Enter the alias or E-Mail Address of the user being migrated: "
#Next Run the cmdlet for the New Mailbox Move Request
New-MoveRequest-Identity$user-remote-RemoteHostName(hybridURL)-TargetDeliveryDomain companyname.mail.onmicrosoft.com-RemoteCredential$OnPremCred-AcceptLargeDataLoss-BadItemLimit500-LargeItemLimit100-BatchName"$user Mailbox Move to O365"
Now with all migration projects, we expect to have to move multiple mailboxes in a single batch. The following will show the process for moving mailboxes in bulk from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1
$OnPremCred=Get-Credential-Message"Enter the On Premises Exchange Migration Admin account creds"
3. Move multiple mailboxes in a single batch.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
This time you want to create a CSV file using the alias or emailaddress as your header and then list the appropriate value for all the users in your batch group. Save the file locally as MigrationBatch01.csv or a name of your choice.
Use EMailAddress OR Alias as the header
Next you initiate the mailbox moves. When specifying the mailbox identity in the cmdlet, use the respective header in your variable declaration (either $user.EMailAddress OR $user.Alias)
Use the following LINK for documentation on the New-MoveRequest cmdlet.
Move multiple on premises mailboxes to O365 in a Batch
Let’s say you’re an admin that needs to connect to Office365 via PowerShell often. Now, there are many different websites or blogs that will show you how to connect to each session via PowerShell. That can cause a headache since you can end up having five different PowerShell sessions running in five different windows. You end up having to enter a username and password all those times, which can become time consuming.
I want to show you here how to combine all those sessions into one script where, if you’re security is tight enough on your computer, you don’t even have to enter credentials. This way, you can click on one icon and pull up all the O365 PowerShell commands that you’ll need to manage your organization.
First you need to download the following PowerShell Module Installation Files so that your PowerShell Database will have the correct modules installed:
Next, we want to setup the CLI (Command Line Interface) to be too cool for school. I have learned it helps to have knowledge of how to customize the CLI window. You can do all of this in PowerShell ISE or Notepad, which ever you prefer. Here are the commands for the script that I use to setup the CLI:
Setup the CLI for PowerShell
1
2
3
4
5
6
7
8
9
#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-locationc:\PowerShell
$a=(Get-Host).UI.RawUI
$a.BackgroundColor="black"
$a.ForegroundColor="yellow"
$a.WindowTitle="(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser=(Get-ChildItem Env:\USERNAME).Value
functionprompt{"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}
Next, you want to set your Execution Policy and put in your credentials so that you won’t be prompted to enter the user credentials when you run the script.
NOTE: MAKE SURE YOU KEEP YOUR SCRIPT SAFE AS THE CREDENTIALS ARE VISIBLE WITHIN THE SCRIPT IN PLAIN TEXT!
You can, alternatively, set your script to prompt for credentials every time by using the following:
$LiveCred = Get-Credential
Here is that part of the script:
Setup Execution Policy and Credentials
1
2
3
4
5
6
#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Connect to the Security & Compliance PowerShell: NOTE – This one I still get “Access Denied” when trying to connect. I have looked for an answer to that issue, but have not found one. Please comment with a link if you have an answer so that I can update this script!
Connect to the Compliance and Security Center through PowerShell
1
2
3
4
#Connect the Security & Compliance Center PowerShell Module
Write-Host"Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green
Write-Host"Be sure to check for any connectivity errors!"-ForegroundColor Green
Write-Host"Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!"-ForegroundColor Green
Write-Host"Successfully connected to all O365 PowerShell Services for (CompanyName)!"-ForegroundColor Green
Now you can create your icon for your desktop so that you can easily access the script. I would save the script to your Scripts directory.
That will usually be C:\Users\’username’\Documents\WindowsPowerShell\Scripts or wherever directory you choose.
To start, right click the desktop and choose New > Shortcut In the Target Field, enter the following for your PowerShell Shortcut, pointing to the path of your script:
Click on the Advanced button and check the box: Run As Administrator Under the General Tab, name your shortcut: (CompanyName) O365 All PowerShell Click OK to save the shortcut to your desktop.
LAST BUT NOT LEAST, RUN THE FOLLOWING COMMAND BEFORE EXITING OR CLOSING YOUR POWERSHELL WINDOW. THIS WILL REMOVE ALL THE SESSIONS YOU’VE CONNECTED TO:
I’m working on getting certified in Exchange Hybrid Scenarios and Exchange Online configuration as part of my skill set for Exchange. In doing so, I had successfully implemented a complete Full Hybrid Exchange Environment between my Exchange Online Tenant and my On Premises Exchange 2019 Environment last evening.
I wanted to give an update that was posted to my LinkedIn Posting on this. Thank you Brian Day for the vote of confidence and caution that running these cmdlets manually is not supported by Microsoft and that the HCW, like all the Online Microsoft Products, is constantly changing and being updated.
Important Note
As preparation, I bought some Exchange Online Plan 1 licenses which give me a 50 GB mailbox limit and basic mailbox functionality. It does not include the more advanced features such as ATP, or DLP. I am running most of those features through my On Premises Environment. I mainly wanted to be able to place mailboxes in the cloud and have a hybrid setup. My plan was to have mail flow continue through my On Premises environment so that my Exchange Server features would be used and I would not have to change any MX or SPF records. I also had my certificates in place for SSL and OWA so I would want keep mail flow routed that way, through on premises. I do want to be able to have Free/Busy lookups cross-premise so federation would have to be enabled as well. I would also have to enable the MRS proxy on my Exchange Server so that mailbox migration could be implemented cross-premise. I also have previously configured Azure AD Sync along with ADFS for Single Sign On. In my case, another server was not needed as I didn’t have enough mailboxes or real need to split my frontend and backend deployment. Running the Hybrid Configuration Wizard would not open any new ports or change any existing port traffic that was already configured on my firewall. These are just a few of the considerations that need to be looked at when considering a hybrid integration.
So, once I had all those considerations handled in my design, I ran the Hybrid Configuration Wizard. What I want to do in this blog post is to go through the steps that the wizard does in the background to setup the Hybrid Environment as you go through the Wizard.
I mainly used the following blog post as a reference, but have approached it differently by diving into the cmdlets that are run during the process:
1. The HCW validates the On-premises and Online Exchange Connection.
The Hybrid Configuration Wizard checks if it is possible to connect to both servers with PowerShell. It runs the Get-ExchangeServer cmdlet on premises after resolving the server in DNS. It then connects to Exchange Online, authorizing the connection:
3. The HCW collects information on the Exchange online (Office 365) configuration
This task repeats what has been done in the previous step, only for the Exchange online, instead of the on-premises one.
The cmdlets include, in order:
1
2
3
4
5
6
7
Get-OrganizationConfig
Get-OnPremisesOrganization
Get-AcceptedDomain
Get-MigrationEndpoint
4. Federation Trust is determined. If not present, a new Federation Trust and the required certificate will be created on the local Exchange Server
You will be prompted in the Wizard to create a Federation Trust if not present. The following articles explain Federation and its requirements:
Understanding Federation – Link Here Understanding Federated Delegation – Link Here Create a Federation Trust – Link Here
If the activity is finished successfully, a new certificate should appear on the on-premises Exchange Certificates list. The new certificate includes “Federation” in its Subject field. To make sure the certificate is there, you can run a cmdlet: Get-ExchangeCertificate | ft -a -wr
The results will look like this
5. The HCW createsa new Hybrid Configuration Object in the local Active Directory
The HCW will run cmdlets based on the information you provide in the HCW for the certificate, the on premises Exchange Server, the domain(s), and what features you want turned on:
7. The HCW Configures the Organization Relationship between the local server and the cloud.
This configuration is not necessary in minimal hybrid deployment. Since I have a full hybrid deployment configured, the cmdlets were run as needed to configure it. Thanks to the correct configuration, it is possible to synchronize free/busy status of mailboxes and their elements between the on-premises Exchange Environment and Exchange online.
New-OrganizationRelationship-Name'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'-TargetApplicationUri'outlook.com'-TargetAutodiscoverEpr'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity'-Enabled:$true-DomainNames'LDLNET.mail.onmicrosoft.com'
New-OrganizationRelationship-Name'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'-TargetApplicationUri'FYDIBOHF25SPDLT.ldlnet.net'-TargetAutodiscoverEpr'https://autodiscover.ldlnet.net/autodiscover/autodiscover.svc/WSSecurity'-Enabled:$true-DomainNames'ldlnet.net'
Set-OrganizationRelationship-MailboxMoveEnabled:$true-FreeBusyAccessEnabled:$true-FreeBusyAccessLevel LimitedDetails-ArchiveAccessEnabled:$true-MailTipsAccessEnabled:$true-MailTipsAccessLevel All-DeliveryReportEnabled:$true-PhotosEnabled:$true-TargetOwaURL'http://outlook.com/owa/LDLNET.onmicrosoft.com'-Identity'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'
Set-OrganizationRelationship-FreeBusyAccessEnabled:$true-FreeBusyAccessLevel LimitedDetails-MailTipsAccessEnabled:$true-MailTipsAccessLevel All-DeliveryReportEnabled:$true-PhotosEnabled:$true-TargetOwaURL'https://mail.ldlnet.net/owa'-Identity'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'
8. The HCW and setting connectors on both Exchange servers
The HCW checks to see if the connectors are there, if not, it sets them up. During this workflow, four connectors are set – one receive and one send connector for each server. Those connectors guarantee the mail flow between the on-premises and Exchange Online.
New-InboundConnector-Name'Inbound from 48e7bec9-404c-4d24-b59e-4b46b64d7e03'-CloudServicesMailEnabled:$true-ConnectorSource HybridWizard-ConnectorType OnPremises-RequireTLS:$true-SenderDomains''-SenderIPAddresses$null-RestrictDomainsToIPAddresses:$false-TLSSenderCertificateName'.ldlnet.net'-AssociatedAcceptedDomains$null
New-OutboundConnector-Name'Outbound to 48e7bec9-404c-4d24-b59e-4b46b64d7e03'-RecipientDomains'*'-SmartHosts'mail.ldlnet.net'-ConnectorSource HybridWizard-ConnectorType OnPremises-TLSSettings DomainValidation-TLSDomain'mail.ldlnet.net'-CloudServicesMailEnabled:$true-RouteAllMessagesViaOnPremises:$true-UseMxRecord:$false-IsTransportRuleScoped:$false
9. The HCW configures OAuth Authentication across the Hybrid
This LINKexplains how OAuth is configured between Exchange On Premises and Exchange Online. It’s a very good article to read as it shows how to get the Modern Authentication style working. Now the HCW does this for you and at the end of the article, you can run cmdlets to test the validity of the configuration.
Again, look at both of those links to get a little more detail as to what each cmdlet does and how it sets up OAuth. Here are the two cmdlets used to test OAuth:
Run On Premises PowerShell to test OAuth to Exchange Online
In order to be able to move mailboxes between Exchange On Premises and Exchange Online, you have to enable the Exchange Web Services Virtual Directory to use the MRSProxy (Microsoft Replication Service proxy). You also have to set your EWS Virtual Directory to use Basic Authentication. You’ll want to do this before running the HCW or else you will receive the following error when the HCW validates the Migration setup and configuration:
Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the server ‘mail.ldlnet.net’ could not be completed. —> Microsoft.Exchange.MailboxReplicationService.RemoteTransientException: The call to ‘https://mail.ldlnet.net/EWS/mrsproxy.svc’ failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. –> The remote server returned an error: (403) Forbidden.. —> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. —> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The remote server returned an error: (403) Forbidden.
Some of the cmdlets run to test Migration and MRS Proxy Settings are as follows:
The HCW runs from final cmdlets to finish up the installation of the Hybrid environment. Here are the cmdlets run:
1
2
3
Get-OnPremisesOrganization
Set-OnPremisesOrganization-Identity'48e7bec9-404c-4d24-b59e-4b46b64d7e03'-Comment'Bunch of letters and numbers'
All this information was found in the setup logs that are in the following directory C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration
