Failed to move mailboxes from Office 365 to on-premises Exchange Server

First of all, I have to say thank you to one of my colleagues, Soren, to share this Exchange troubleshooting skill for this case. The symptom is when you move a mailbox from Office 365 to an on-premises by Exchange Management Console (EMC) or Exchange Admin Center (EAC), you get the following error messages.

"MigrationPermanentException: Cannot find a recipient that has mailbox GUID <GUID>"

According to the KB from Microsoft,

"MigrationPermanentException: Cannot find a recipient that has mailbox GUID <GUID>" error message when you try to move a mailbox in an Exchange hybrid deployment

We need to set the same GUID for this mailbox. However, the Exchange GUID of the mailbox is the same between Office 365 and on-premises Exchange.

We need to check the remote mailbox function of this user account is enabled or not on the on-premises Exchange server. How can we verify it?

Perform Get-RemoteMailbox <Alias> on the Exchange Management Shell of the on-premises Exchange server.

Then, what do we need to do?

Perform Enable-RemoteMailbox <Alias> -RemoteRoutingAddress <Alias>@<accountName>.mail.onmicrosoft.com to enable remote mailbox for this user account.

Then, we need to set the ExchangeGuid for the mailbox. If there is an archive for this mailbox on Office 365, we also need to set the ArchiveGuid.

Log in Exchange Management Shell of Office 365 and then perform Get-Mailbox <Alias> | fl *guid*

Then, copy the ExchangeGUID and the ArchiveGUID of the user mailbox.

Back to the Exchange Management Shell of the on-premises Exchange server. Perform Set-RemoteMailbox <Alias> -ExchangeGUID <Copy from Office365 Exchange GUID> -ArchiveGUID <Copy from Office365 Archive GUID> to assign the same Exchange GUID and Archive GUID to the user mailbox.

As this time, you can try to migrate the mailbox again.

This posting is provided “AS IS” with no warranties, and confers no rights!

Migrate Office 365 Mobile Device Management to Microsoft Intune problem

I enabled Mobile Device Management on Office 365 for my lab domain. Now, I'd like to change it to Microsoft Intune for testing. However, I cannot move it from Office 365 to Microsoft Intune because there is no option to do this task on both. At Microsoft Intune, it shows Set to Office 365.

On Office 365, it shows the current MDM configuration.

Eventually, I submitted a service request on Office 365 to report this status and let them to change the status on Microsoft Intune. 

If you plan to manage devices on Microsoft Intune, all devices are needed to re-enroll after configuring to Microsoft Intune.

Make sure what solution your customers need before deploying Mobile Device Management on Office 365 or Microsoft Intune.

More information:
Manage mobile devices with Microsoft Intune

This posting is provided “AS IS” with no warranties, and confers no rights!

Manage Exchange on Office 365 by PowerShell

Some of Office 365 services can be managed by Windows PowerShell like SharePoint, Skype for Business, Exchange and so on. To manage these services, the basic requirements are the following:

Operating Systems (64-bit):

Windows 8.1 or Windows 8

Windows Server 2012 R2 or Windows Server 2012

Windows 7 Service Pack 1

Windows Server 2008 R2 SP1

Required components:

Microsoft .Net Framework 4.5.x and Windows Management Framework 3.0 or later.

To manage Exchange on Office 365, we don't need to install additional tool. We can directly import Exchange cmdlets from Office 365.

Lab environment

Windows Server 2012 R2 is installed the required components

1. Launch Windows PowerShell as administrator.

2. Perform Set-ExecutionPolicy RemoteSigned -Verbose -Force to update the execution policy of Windows PowerShell.

3. Perform $cred = Get-Credential

4. Enter the Exchange administrator user name and password into the dialog box and then click OK.

5. Perform $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/PowerShell-liveid/" -Credential $cred -Authentication Basic -AllowRedirection to create a new PowerShell remote session to your Office 365 account.

Remark: Microsoft doesn't support an administrator account on Office 365 or other online services which is enabled Multi-Factor Authentication for Windows PowerShell Management.

6. Perform Import-PSSession $ExchangeSession -DisableNameChecking to import the PowerShell cmdlets from Exchange on Office 365.

All cmdlets is under the temporary PowerShell module name.

As a result, we can perform PowerShell cmdlets to manage Exchange on Office 365.

More information

"Unable to authenticate your credentials" error when you try to connect to Azure Active Directory

Connect to all Office 365 services in a single Windows PowerShell window

This posting is provided “AS IS” with no warranties, and confers no rights!

Renew Apple Push Notification Service (APNs) certificate on MDM of Office 365

Apple Push Notification Service (APNs) certificate is used to manage Apple Devices by every Mobile Device Management platform. it expires every year. When the APNs certificate expired, administrators cannot manage enrolled mobile devices on MDM portal.

To renew APNs certificate, the steps are similar to request a new APNs certificate. In this blog post, I'm going to renew my non-expired APNs certificate on MDM of Office 365.

1. On Office 365 admin center, log in as Global Administrator.
2. On left pane, select "Mobile Devices" tab.
3. Next to "Settings", click "Manage settings".

4. On "Set up mobile device management" window, next to "Configure an APNs Certificate for iOS devices", click "Set up".

5. On "download certificate signing request" page, click "Download your CSR file" to download and save the file.

6. On "create an apns certificate" page, click "Apple APNs Portal".

Then, log in Apple Push Certificates Portal.

7. Click "Renew" on Certificates for Third-Party Servers" page.

8. On "Renew Push Certificate" page, click "Browse" to select the CSR file which downloaded from Office 365 web page.

9. Click "Upload".
10. Click "Download" on Certificates for Third-Party Servers" page to save .pem file.

11. Back to "upload apns certificate" page, click "Browse" to upload .pem file.

12. Click "Finish".

As a result, the APNs certificate has been renewed on MDM of Office 365.

This posting is provided “AS IS” with no warranties, and confers no rights!

Improvement suggestion for Mobile Device Management on Office 365

Microsoft tended to use Mobile Device Management (MDM) on Office 365 to replace ActiveSync and provide more security options on Office 365 for administrators and users. It's a good start on Office 365. How Microsoft improves MDM on Office 365? Microsoft can consider adding some features.

1. Apply "Sync Device" on Office 365 admin center

Users can press sync button on Comp Portal app to synchronize the information back to the Office 365. How about server side? There is no button on the web page to request sync data from mobile devices. Microsoft should consider adding this function on MDM of Office 365.

2. Apply "Clear device passcode" on Office 365 admin center

Sometimes users may forget the passcode on their mobile devices. For enrolled mobile devices, Microsoft should consider adding "Clear device passcode" on the web page for administrators to unlock device passcode for users. However, if there is no passcode on mobile devicves, the device isn't compliance. It's temporary. After clearing passcode, users have to enter a new passcode immediately to fulfill compliance requirement. 

3. Apply "Remote Lock Device" on Office 365 admin center

Remote lock feature is provided by iCloud or Google account. Does Microsoft consider adding this feature on MDM for managed devices? :-)

4. Check applied MDM policies on Office 365 admin center

As mentioned, we can apply more than 1 policy to a device, even it's not a good practice. If available, I hope Microsoft added a web page to check which MDM policy is assigned to mobile devices.

I think there is still room for improvement of MDM on Office 365. Please give some feedback Microsoft to improve it.  

This posting is provided “AS IS” with no warranties, and confers no rights!

Mobile Device Management for Office 365 - Part 4

In this part, I'm going to talk about the security policy of Mobile Device Management on Office 365. There isn't too much security policy and device restriction options on MDM of Office 365.

And, Microsoft listed which security policy and device restriction can be applied to iOS, Android and Windows Phone.

Supported security policy on mobile devices

Supported mobile device restrictions

Information source: Capabilities of built-in Mobile Device Management for Office 365

As you can see, many security policy and device restrictions can be applied to iOS devices only. These tables can help us to understand what security settings and restrictions are applied.

Remark: There are some additional settings which are configured by PowerShell on Office 365.

Can we apply 2 or more security policies or device restrictions to mobile devices?
Yes, one device can be applied 2 or more policies.

Which settings will be applied to mobile devices?
If there is no conflict, all settings are applied to mobile devices.

If the same setting with different values, the most restricted setting will be applied to mobile devices.

Example 1:

The first policy is configured "Minimum password length is 4".

Another policy is configured the same settings to 5.

Both policies are applied to the same user group. Then, users have to enter 5 digit passcode.

Example 2:
The first policy is configured "Minimum password length is 4".

Another policy is configured "Require an alphanumeric password".

Eventually, users is required to enter a new password with 1 special character.

If the applied policy is removed on Office 365, what happen will be on mobile devices?
If the setting is related to email profile on mobile devices, the email profile is deleted automatically on mobile devices.

If the setting is password related, it doesn't pop-up to request users to change password. Users need to change a new passcode manually.

Remark: When the policy is updating, it displays "Turning on" on the console but it hasn't applied to mobile devices. 

I hope it's easy for you to understand the policy on MDM of Office 365.

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 3

This posting is provided “AS IS” with no warranties, and confers no rights!

Mobile Device Management for Office 365 - Part 3

In part 1 and 2, I enabled Mobile Device Management feature on Office 365. After that, I created a security policy on Office 365 admin center to make sure the device is enrolled before connect to Office 365. In this part, I'm going to walk through the mobile device enrollment and connect to mail server on Office 365.

Prerequisites

• 1 mobile device without Pin code (I selected iOS for testing)

After enabling MDM policy for the user, user cannot connect to mail server on Office 365 to download email until the device is enrolled. The user get the following email when they bypass MDM enrollment.

However, the configuration will be failure. :-) Please continue reading it.

We need to click "Enroll your device" to get Microsoft Intune agent from App Store.

Then, launch "Comp Portal" agent and then insert the user and password to sign in.

On "Device Enrollment" page, click "Enroll".

When the device is being enrolled, you can find the device information on Mobile Device Management for Office 365 page.

Then, we continue installing the Management Profile on the device by pressing "Install".

After enrollment, the device is required to set a passcode.

I pressed "Later" and then try to access the email. There is no email because the device is blocked.

The MDM profile forces the user to set a passcode after 60 mins.

Go to "Comp Portal" and then click the device to check compliance.

After a few minutes, I got the following message.

Because I checked "Require managing email profile (required for selective wipe on iOS)", I shouldn't create an email profile by myself. To solve this issue, I need to remove the current Exchange email profile and remove MDM proflie and then re-enroll again :-(. For Android, it isn't affected.

If check "Require managing email profile (required for selective wipe on iOS)", we do the following steps.

1. Download "Microsoft Intune Company Portal" from App Store.
2. Enroll the device.
3. Make sure the device is "This is the device you are currently using". 

4. Click mail on the device. The email profile, Office 365 email, is created automatically. It show a dialog box for you to enter the password of this email account.

Remark: If "Cancel" button is pressed, users can go to "Settings >Mail, Contacts, Calendars > Office 365 email > Accounts" to enter the password.

Now, the mobile device can connect to Office 365 to get emails.

Remark: "Require managing email profile (required for selective wipe on iOS)" can apply an email profile for built-in iOS mail application. At this moment, it doesn't apply an email profile to Outlook for iOS.

Additional information:
Based on my testing, there is a limitation of Mobile Device Management on Office 365.

1. Administrator cannot control number of devices for enrollment per user.

I'll keep updating the MDM testing of Office 365.

More information:
Enroll your mobile device in Office 365

Other parts in this series
Mobile Device Management for Office 365 - Part 1
Mobile Device Management for Office 365 - Part 2
Mobile Device Management for Office 365 - Part 4

This posting is provided “AS IS” with no warranties, and confers no rights!