About Sean O'Farrell

Behind the scenes of this blog is me, Seán O'Farrell. I am a Solution Architect with Evros Technology Group in Dublin, Ireland. You can find me on Linkedin My blog posts are completely my own views & provide no warranty. My blog posts are in no way affiliated with my current employer, Microsoft, Quest or any vendor’s technologies mentioned in my blog. I started my blog in 2009 and at this point in time I was not even aware of the Microsoft MVP programme, having a family and a very busy career in some ways held me back from the commitment it takes to obtain the prestigious MVP award. A lot of my colleagues that I have worked with for over 10 years are MVPs. Over the years some of my clients have presented my blog posts by searching the net to resolve problems and some vendors have officially published some of my blog posts. I acquired the domain informationprotection.ie, I was surprised the domain name was available, given all the so called GDPR experts that have suddenly appeared. I have focused on Office365 since before BPOS and the Office365 platform is now a mature platform, the Office365 skillset is not so special anymore and a standard requirement for most IT professionals, Since the start of 2018 nearly all of my professional services engagements have been focused on Office365 & Azure security. I am going to try and focus on Microsoft cloud security with this blog and invite guest peers to post security blog postings. I do not want to post generic material and always want to post items that are unique and will help people in the industry. If you have found the blog helpful in any way, and/or like what I am doing, please nominate me for the Microsoft MVP award here. It's very quick and easy, fill in your own details, then the details in the screen grab below for me. Thank you!

Quest Migration Manager for AD – UPN change mid project

I recently encountered a unique scenario when using Quest Migration Manager for Active Directory. I was in the process of migrating 3 AD Forests into a new AD Forest. I had already migrated 1200 users into the new AD Forest and at the time of migration the UPN’s were contoso.com.

My customer then decided to change all UPN’s and primary smtp domains to @fabrikam.com in the middle of the project. This caused a big problem when computer accounts were being migrated. After the computer account had completed migration to the new domain, the user’s UPN was @contoso.com. Which meant the user had to change their UPN to login instead of just simply entering their existing AD password that they were previously using.

So how do we resolve this issue.Right click on the properties of the domain pair as per image below
Next change target domain to contoso.com or a fqdn of a domain controller in contoso.com

Next modify the security settings and set the domain suffix to fabrikam.com
Finally stop and start the synchronization task.

Once this has been completed, when computer accounts are migrated the correct UPN will be populated and users simply need to enter their existing AD password.

Dynamically Assign AIP Policies

In a previous post on how to dynamically assign Intune licenses using Azure dynamic user security groups.

When an organisation has configured global labels like the default labels displayed below. An organisation can choose to apply a policy to all users or all Azure Information Protection Plan 1 licensed users or all Azure Information Protection Plan 2 licensed users.

Azure Information Protection Plan 1 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 1 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “6c57d4b6-3b23-47a5-9bc9-69f17b4947b3” -and assignedPlan.capabilityStatus -eq “Enabled”)

Azure Information Protection Plan 2 Azure Security Group

Create an Azure Active Directory Dynamic User Security Group , Edit the query and enter the query below for Azure Information Protection Plan 2 licensed users.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “689bec4-755d-4753-8b61-40975025187c” -and assignedPlan.capabilityStatus -eq “Enabled”)

If the during the creation of the group , it fails with an error , delete the “” that encapsulates the “guid” and “enabled” within the query and use your keyboard to replace the “” if you are copying them from this blog post.

So this solution enables administrators to apply policies to all AIP plan 1 and plan 2 licensed users and because it is dynamic , it will catch all new employees in the organisation.

Transitioning to Outlook Mobile

I always recommend the Outlook mobile client to my customers as this application can be included in an Intune app configuration & protection policy to protect and encrypt corporate data.

One of the features that the native IOS & Android mail client provides to end users is the illusion that the global address list of the organisation that they work for is in their native contacts. So when an end user searches for users in their company they expect to get the contact information instantly. Users must use Outlook Mobile.

End users mostly complain about loosing this feature but the argument is security comes first and Outlook Mobile is more secure!  It is very difficult to find the balance between security and productivity.

Android Outlook Mobile Cheat Sheet
IOS Outlook Mobile Cheat Sheet
Deploying Outlook for iOS and Android app configuration settings

Why use Outlook Mobile?

Content via Ignite 2019 Slide Deck

  • Consistent new features and security patches from Microsoft
  • In BYOB scenario , Corporate email profiles are encrypted via Intune App Protection policy
  • Azure Information Protection integration
  • Sensitivity Labels
  • Add a share mailbox to Outlook Mobile

Azure AD Connect authentication error

I started to notice that Azure AD connect was failing and had a look in the console and seen the error message in the console displayed in the image below

Then when I tried to run the command Start-ADSyncSyncCycle -PolicyType delta ,  I received a long list of authentication errors.

To resolved the issue browse into properties of the Azure Active Directory account and copy the account name onto the clipboard.

Next add this account in as an excluded account from conditional access policies the same way a break glass cloud identity admin account would be excluded from conditional access policies.

As soon as the sync account has been added to the exclusions , syncs will resume

Maintaining Exchange on-premise storage during migrations

Now that Microsoft have announced that Exchange 2010 support will end in October 2020 a lot of organisations are moving to Exchange 2016, 2019 or hopefully Exchange Online.

For enterprise organisations , the migration topology will include two Exchange 2016 servers that are load balanced via an F5 , Citrix Net Scaler or my preferred choice a Kemp load balancer. Autodiscover services for the smtp domains will be transferred to the new virtual IP and the service will be provided by the new Exchange 2016 servers that will proxy access requests to Exchange 2010 hosted mail resources.

The new virtual IP for load balancing services will become the target for the Exchange Online migration endpoint.

The Exchange Online Hybrid wizard licenses the new Exchange 2016 servers as part of the Hybrid configuration process , the Hybrid license does not permit the hosting of mailboxes. One of the problems with Exchange server since Exchange 2013 is log file growth. This post will demonstrate a scheduled task i always create on Hybrid servers.

The task schedules Edward van Biljon script available to download HERE

These log files are mostly IIS log files and not Exchange database log files as no mailboxes are hosted on the Hybrid server. But if an organisation is moving thousands of mailboxes to Exchange Online and not clearing down these logs, then they will run into issues. I have often reclaimed 20 -30GB of disk storage from running this script as a scheduled task.


The next section to consider is Exchange Database logs. Most vendors like

  • Commvault
  • Veeam
  • Veritas

perform an excellent backup service and are typically scheduled to run outside of business hours. Exchange backups are critical to truncate logs and become even more critical in an Exchange DAG. I have worked on previous projects that migrated Lotus Notes or Groupwise to Exchange and the log files grew too quick and could not wait till the daily evening backup. This issue can also arise in Exchange Hybrid native migrations due to the volume of traffic being migrated.

Most Exchange backup vendors communicate with VSS , It is critical that Exchange truncates the mailbox database logs , as there will be corruption in the databases’ if Exchange cannot perform this task.

If there is a scenario where the Exchange database and log volume is running out of space , Microsoft have an excellent utility called diskshadow which has been around for a long time. So essentially we trick Exchange into thinking a full backup has been performed and here are the simple steps if an Exchange Server database was installed on the system volume.


This process should only be used in emergencies, Business as Usual backup schedules should normally ensure Exchange volumes do not run out of space but during migrations from an Exchange 2010 to Exchange Online or Lotus Notes to Exchange on-premise or online , the log files fill up really quick and even more so if there 3 or more databases that are members of a DAG

The final option for reclaiming space is offline de-fragmentation databases to claim white space. And only choose this option when all mailboxes have been migrated as it can take a long time and requires downtime.

Anonymous Relay when transitioning from 2010 to 2016

I recently worked on a project where my customer had a load balanced vip for SMTP. There were two Exchange 2010 cas-hub servers included in the vip. And the 2010 servers had a relay connector for anonymous access configured for applications like scan to email and HR applications. So how do we move this service to our lovely new Exchange 2016 servers.

  1. Create the fronted transport service relay connectors on both Exchange 2016 servers called ‘Relay’
  2. Then run this script to copy all of the relay ips to the new Exchange 2016 relay connectors
  3. Then on Exchange 2016 server 1 we run these commands
    Servers are contso1 & contoso2
    Set-ReceiveConnector “contso1\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso1\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DCSet-ReceiveConnector “contso2\Relay” -PermissionGroups AnonymousUsers,Exchangeservers -DomainController FSMO DCGet-ReceiveConnector “contso2\Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient -DomainController FSMO DC
  4. Add a server IP like the ad connect server into the relay connector scope on both contoso1 and contoso2
  5. Then run this command from the AD Connect server to each of the Contoso servers
    telnet SMTP VIP 25
    mail from:sean@contoso.com
    rcpt to:sean.ofarrell@yahoooooo.com
    Test from Sean.
  6. Once the email comes through we can then remove the Exchange 2010 server from the SMTP VIP and disable the relay connector on the Exchange 2010 servers.

Finally a lot of my customers do not trust Exchange Online Protection and use services like Mimecast , Proofpoint, Cisco Cloud Email Security and once the SPF records for the domains matches the service it can normally be much easier to set up smtp relay via these saas services.

AD Connect – Sync-rule-error-function-triggered

I recently worked on a project that had the following scope.

  • Migrate 6 Office365 tenants into a new single Office365 tenant
  • Migrate all users, sidhistory and computer accounts into a new AD Forest using Quest Migration Manager for Active Directory from 10 source Active Directory Forests to a new Windows Server 2019 Active Directory Forest.

14 user objects could not sync changes like adding aliases. If I extract the affected user’s immutable from the source office365 tenant it was different to the corresponding users immutableid in the new tenant.

So where is the problem? Why wont the changes sync?

When further analyzing the errors in AD Connect, I could see that the cloudanchor attribute in my new tenant had the same immutable ID as the source tenant.

So how do we fix this?

  1. Exclude the following two attributes from Quest Migration Manager for Active Directory migrations and synchronization tasks ‘mS-DS-ConsistencyGuid’ & ‘msDS-ExternalDirectoryObjectId’
  2. Then run this powershell command to export all destination  site immutable IDs

    get-aduser -filter * -SearchBase “OU=Contoso” | select samaccountname,mail,userprincipalname,objectguid,@{label=”ImmutableID”;expression={[System.Convert]::ToBase64String($_.objectguid.ToByteArray())}} | export-csv CSV LOCATION

  3. Then run the following command and replace the immutable id from the exported csv in step3 in the bold text below to convert the immuttableid to HEX format
    [system.convert]::FromBase64String(“rk4ZgeI/l0OpdRr5PiwU1g==“) | %{$a += [System.String]::Format(“{0:X}”, $_) + ” “};$result = $null;$result = $a.trimend();$result
  4. The output of this command will convert the immutable ID from the CSV to a Hex value like AE 4E 19 81 E2 3F 97 43 A9 75 1A F9 3E 2C 14 D6
  5. Next step is to populate the ‘mS-DS-ConsistencyGuid’ attribute with the hex value from step 4 and replicate domain controllers.
  6. Run a delta or initial sync on AD Connect and the issue will be resolved.

Reference Article: https://docs.microsoft.com/en-us/archive/blogs/latam/using-the-consistencyguid


SPF,DKIM & DMARC for Message Hygiene Services

This article is about securing email transmission and I mention multiple vendors. Proofpoint recently acquired Wombat Security Technologies that provide security awareness training for end users. knowbe4 is another excellent security awareness training provider and the Gartner leader in security awareness training.

None of the vendors I mention in this article can provide zero day vulnerabilities protection and I still think one of the best line of defences for any organisation is security awareness training for end users.

SPF The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers.
Ref: https://www.dmarcanalyzer.com/spf/

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
Ref: https://www.dmarcanalyzer.com/dkim/

DMARC : DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Ref: https://dmarc.org/

With the combination of SPF,DKIM and DMARC , these standards improve the reputation of an email like contoso.com. But most importantly they can help an organisation like contoso.com from being a victim of a phishing or an email spoofing campaign.

A lot of my enterprise customers and early adopters of Exchange Online chose not to use Exchange Online Protection because it quite simply wasn’t good enough at the time they moved to Exchange Online. Exchange Online Protection has really matured in the last number of years with some excellent features like:

  • Office365 ATP
  • Zero Hour Purge
  • Automated Investigation and Response (AIR)

In my view the two best locations for technical guidance on configuring Exchange Online Protection

  1. https://office365itpros.com/
  2. https://www-undocumented–features-com.cdn.ampproject.org/c/s/www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/?amp

DKIM and DMARC should be configured on the last hop of email messages transmission.

Microsoft have documented how to configure DKIM for Exchange Online HERE
Microsoft have documented how to configure DMARC for Exchange Online HERE

Symantec Email Security Cloud DKIM
Symantec Email Security Cloud DMARC

Mimecast DKIM
Mimecast DMARC

Proofpoint DKIM
Proofpoint DMARC
Note: DMARC Not supported on ProofPoint Essentials

Cisco Cloud Email Security DKIM
Cisco Cloud Email Security DMARC

ForcePoint Email Security DKIM
ForcePoint Email Security DMARC

Switch from SCCM Co-Management Hybrid to Intune

I recently had to break co-management of SCCM & Intune Co-Management Hybrid and migrate to Intune for mobile devices that were managed by SCCM\Intune.

I followed Gerry Hampson’s blog POST on how to do this. Gerry is a Microsoft MVP in Enterprise Client Management.

I faced a problem. How do I translate an SCCM device collection that has no information on users, to a security group that I can assign an Intune Application Protection Policy to. In my particular instance there was only two policies required.

  1. Intune_Exec_AppProtection_Policy
  2. All users except the Exec users

Azure Active Directory has the ability to create complex dynamic user or device security groups. So in my instance I created two Intune Application Protection Policies that are listed above.

I created one on-premise synced AD Security group that contained the Exec users, this group would be assigned to Intune Application Protection Policy 1. I then wanted to create a security group that I could assign to all non exec users and any new users. So I created an Azure dynamic user security group that queried Azure AD for any user that has an Intune license. The query for the Azure dynamic security group is listed below.

user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)

This type of dynamic security group can be applied to any Microsoft cloud service. The list of all Microsoft servicePlanId’s is available HERE