Exchange On-Premise Mailbox will not MIGRATE

I recently encountered an issue which I have seen before but never this bad and more commonly with Public Folders. My customer had a 50GB mailbox that also had an archive mailbox. The mailbox would get so far and just stall and never complete.

So I tried all of some of the usual methods to repair the mailbox to no avail.
Repair the mailbox with PowerShell & Migrate the mailbox to another Exchange database

So we asked the customer could we review the mailbox and found thousands of folder in the format of 16/04/2019. Exchange does not like / , Exchange normally sees / as the top of the information store. So my first attempt to resolve this was powershell and could not seem to crack it. Thanks to my colleague Mark Doyle  ,We resolved this issue with an Outlook Macro.

So if you ever encounter this unique issue , Please follow these steps.

  1. Browse to the Outlook Trust Center
  2. Macro Settings, Select Notifications for all Macros
  3. Press Alt + F11 to open Visual Basic
  4. Double click “This Outlook Session” under Microsoft Outlook Objects
  5. Paste  this TEXT below into the window
  6. Click on the folder or inbox that you want , And run the Macro
  7. Input character we want to replace in this case will be /
  8. Then select . as the replacement character
  9. Finally task complete

Final Comment

This is in no means an enterprise solution and I asked Microsoft for help and didn’t get anywhere. Once we removed the / , We could see when checking get-moverequeststatistics (mailbox) , that it was getting past the ‘create folder hierarchy’ stage in a mailbox move. And we did not need to tell our customer , Sorry this mailbox cannot be migrated!

Azure AD Combined security information registration

One of the glaring holes in the SSPR and MFA registration process was when bad actors that had compromised credentials could register for SSPR or MFA if the compromised account had not already registered.

One of my customers highlighted this to me and the way we overcame the vulnerability was to populate Active Directory with mobile numbers and through powershell force the authentication method to text message and not give an end user the choice.

Finally Microsoft have released a feature that can lock down the SSPR an MFA registration process to a corporate ip or ip ranges, the following slides show how we enable this in a conditional access policy.

  1. Select all users and exclude the tenant Office365 admin breakglass account.
  2. Select cloud apps or actions and select the ‘Register Security information (preview)’ option.
  3. In location select from any location
  4. Exclude all trusted locations
  5. In the controls section , Select ‘Grant Access’ and ‘Require multi-factor authentication.


Office365 & Intune White list URL and IP Range

For years I have fought tooth and nail with Security vendors on my enterprise customer sites that will typically have a corporate proxy or silent proxy like Palo Alto by tryng to get them to grant the customer,site or project access to Office365.

Microsoft have made the Office365 endpoints dynamically available as a web link which all enterprise firewall vendors support like Cisco, Juniper, Palo Alto can connect to.

Palo Alto guide HERE

Microsoft site Office 365 URLs and IP address ranges
Dynamic URL for firewalls and proxies 

I have faced on numerous occasions , issues with ip ranges that are outside the published Microsoft ranges. When my customer asked me what is this IP address , I cannot say it is mine and then need Microsoft to verify via a service ticket that they own the ip address.

My recommendation is also to white list the urls and ip ranges listed in this Microsoft article when using Intune. Intune network configuration requirements and bandwidth

Microsoft IP ranges outside the published ip ranges have affected me on customer project sites with Office365 ProPlus activation and Intune managed BitLocker encryption.

Hybrid Azure AD Joined Devices

Anyone familiar with conditional access, will have noticed this access control in Conditional Access policies. So what does it mean , How can I enable this, Is this a good feature.

This is not a good feature, it is an excellent feature. The best way to describe this control requirement is as follows. DO NOT GRANT access unless the machine is DOMAIN JOINED. Many enterprise companies have corporate wifi rolled out and only permit access to the corporate wifi via credentials and a machine certificate issued by the local certificate authority.

AD Connect keeps getting better and better and Microsoft have made it so easy to enable this feature. The following screenshots ill demonstrate how easy it is to enable this feature.

Modify the configuration of AD Connect and select ‘Configure Device Options’

Enter Azure AD Credentials

Note: Only select the second option ‘Supported Windows domain level domain-joined devices if you are using Azure Seamless Sign On, Azure Seamless Sign on provides the functionality to support Windows 7 and above operating systems.

Then enter enterprise admin on-premise credentials as per the image below.

Download and run the PowerShell script using on-premise enterprise admin credentials that AD Connect has prepared as per image above.

Next step is to follow this Microsoft Article : To enable auto enrollment of Windows Devices.

Now that we have enabled device auto enrollment into Intune, What are the benefits?

  • Intune Device Management – Intune can manage 5 devices per user license
  • Conditional Access Policy Control : Hybrid Azure AD objects
  • Intune – Bitlocker Management
  • Azure Dynamic Machine groups can be a useful method for managing global or large enterprise organisations.
  • Windows 10 Security Base Lines
  • Intune integration with Windows Defender ATP

These are just a small number of benefits , Open to comments on more benefits.

Update: 24.05.2019

Follow THIS Microsoft guide and block downloading from SharePoint Online on no domain joined devices

eDiscovery for Exchange Online Data at Rest

  • It is not possible to search for sensitive information types when selecting Exchange Online mailboxes as the data source , Office 365 User Voice REQUEST
  • It is possible to search for the items specified in this Microsoft ARTICLE and via KeyWord

The screen shot below is from an Office365 E5 Advanced eDiscovery query that shows these types of searches are not supported


Office365 & AIP Sensitive Information Types

  • Sensitive Information Types defined in Azure Information Protection are not visible in the Office365 Security Center
  • Sensitive Information Types defined in the Office365 Security and Compliance center are not visible in Azure Information Protection
  • So this means sensitive information types need to be defined in each service.
  • @MSignite2018 Microsoft announced a change in search technology in Exchange Online and Exchange 2019 , they will now use Bing technology. The front end of the Office365 Security and Compliance Center seems to be using SharePoint search technology. I would love Microsoft to enable Exchange Online, AIP, & Sharepoint Online to use the same search technology used in Azure Log Analytics.
  • Microsoft state that when creating custom sensitive information types via an XML file and then importing them into the Security and Compliance center that it is not possible to have multiple regex values. It is possible to combine multiple regex values by using the PIPE value |. When combining multiple regex values , they can be tested in Office365 and in
  • Using multiple regex values in AIP can also be combined by using the PIPE value |
  • This is an example of a regex for different pattern types for Irish mobile phone numbers that could be used in the Security and Compliance center GUI or the AIP GUI when defining regex sensitive information types.
    notice the | that defines the different type of patterns.

How to Identify Your Enterprise’s High-Level Sensitive Data with Microsoft

By Seán O’Farrell

Too often companies engage with Security professionals when a breach has occurred. They rush to resolve it as quickly as possible without thinking of how to prevent it from happening. Instead, organisations should be considering building a Security Road Map.

Here are some technical aspects that need to be considered if enterprises are to best leverage the Microsoft security suite. Generally speaking, the current high-level challenges that we come across often when speaking with EMEA clients, are:

  • GDPR
  • Personally Identifiable Information
  • Freedom of Information (for Irish Public Services)
  • Client sensitive information
  • Intellectual Property

The Microsoft Information Protection Suite

Microsoft’s Information Protection solutions such as Data Loss Prevention (DLP) are crucial in the protection of data, especially when the following Microsoft technologies are all implemented:

  • Office365 DLP
  • Azure Information Protection
  • Cloud App Security
  • Conditional Access
  • Intune Application Protection Policies
  • Windows Information Protection
  • Intune managed Bit Locker
  • Azure ATP
  • Windows Defender ATP
  • Office365 ATP

All of these technologies will help build a hardened stance against cyber threat. But when companies fail to define what sensitive data, customer or personally identifiable information types they are hosting, they quickly find themselves in the murky waters of becoming data uncompliant.

How do you identify all of the high-level sensitive information types?

My recommendation is to start with Azure Information Protection (AIP) scanner with Azure Log Analytics integration in discovery mode to assess your environment.

When I present the results of the analysis to my customers regarding their data analysis, they often have mixed reactions. Firstly, there’s delight that they can have instant business intelligence reports on their data. Then the delight is followed promptly by the worry that they are uncompliant. This process outlined below will hopefully allay the fear around compliance.

Begin with a small amount of possible sensitive information types that has been configured as part of an Azure AIP Scanner policy integrated into Azure Log Analytics.

How to configure the Azure Information Protection policy

Once this data is enabled, it empowers a business to slowly start defining what data is critical to the business and their customers. A good first sensitive information type to start with is a credit card number to familiarise the organisation’s staff on how to use this service.

TIP: To assign the responsibility to one person to review 30TB of data will not be productive. Azure role-based access control can be implemented so that Department Heads or Compliance Officers only review data that they have the right to review.

Defining sensitive information types and then continuing to update your sensitive information type library will be an ongoing process which should also include the process of upskilling existing employees. The engagement becomes difficult if the customer does not have the required Microsoft Cloud and desktop operating system versions.