Pre-requisites for Migration manager for Exchange – Quest

• Read access to the target domain.
• Full Control permission on the organizational units (OUs) (and their child objects) where the target synchronized objects are located.
• Read permission for the Microsoft Exchange container in the target Active Directory.

Setting up Accounts:
• Target Active Directory Synchronization Account
This account is used by:
a) The Directory Synchronization Agent (DSA) to access the target Active Directory domain
b) The Mail Source Agent (MSA) to perform mailbox switch
• Target Exchange Account
This account is used by Migration Manager for Exchange agents installed on agent host to access the target Exchange server.
• Target Active Directory Account
This account is used by Migration Manager for Exchange agents to access the target domain.
• Target Agent Host Account
This account is used to install and run the Migration Manager for Exchange agents on agent host and to access the license server.

All these rights can be assigned to a single account –

The administrative account should be a member of the local Administrators groups on the following servers:
• The Directory Synchronization Agent servers
• The Migration Manager for Exchange Console server
• The license server specified in the Migration Manager for Exchange Console options
• The agent host servers

• All target Exchange servers involved in the migration

Final Steps:
1. Setting up the target Exchange 2010 organization for Internet mail flow between target and source Exchange organizations
2. Configuring target DNS server for mail forwarding
3. Testing the SMTP connectors (optional)

Target Exchange Account permissions:
• Read access to the target domain.
• Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
• Full Control permission on the organizational units (OUs) (and their child objects) where the target synchronized objects are located.
• Full Control permission on the Microsoft Exchange System Objects organizational unit in all domains in which target Exchange 2010 servers involved in public folder synchronization reside.
• Full Control permission on target Exchange 2010 organization
• Membership in the Public Folder Management group.
• Permissions to log on to every mailbox involved in the migration.
• Membership in the Recipient Management group.


Hybrid deployment cheat sheet:


à  Hybrid deployment can be configured for Exchange 2007/2010 infra if you have atleast one Exchange 2013 server as CAS + Mailbox – (preferred to have both roles on same server)

  • Exchange 2013 should have Cumulative update 1 or greater for Hybrid setup
  • Hybrid deployments are supported in all O365 plans that support Windows Azure Active directory Sync
  • The office tenant should be 15.0.620.28 or greater to setup a Hybrid with Exchange 2013
  • Custom Domains
  • Active Directory Synchronization
  • AutoDiscover DNS records should be registered -> to point it to on premise
  • Add O365 Organization into your Exchange admin center
  • Certificates -> which should have EWS external URL and AutoDiscover endpoints to be listed into the SAN of the certificate
  • Edge Sync
  • Hybrid deployment Ports/Protocols and Endpoints should be open


Setup Hybrid Wizard:

  • Open the EAC on the Exchange 2013/Navigate to Hybrid node
  • Click Enable to start the Hybrid configuration Wizard (present your O365 credentials when needed + On Premise if needed)
  • Use ADD button (+) to select the domain which has to participate into the wizard, this selection can be based upon your requirement of POC or production roll out, if multiple domains are selected Flag the domain for Autodiscover—click Next
  • This will produce a TXT record information for your organization, Copy the content and get it registered as TXT records under your organization
  • Select the way how the mail transport should take place, option available are
  1. a) Configure my client Access and Mailbox servers for secure Mail transport (EOP)
  2. b) Configure Edge Transport servers for Secure Mail transport
  3. c) Enable Centralized mail Transport (preferred way)
  • Select H&C servers which should participate to configure a receive connector Bi-directional secure mail transport between onpremise and Exchange online
  • In next option select one or more Mailbox server for configuring an Send Connector
  • Here you’ll land into an option to select the certificate
  • Enter the FQDN of externally accessible CAS, EOP will use this FQDN for configuring the send connectors
  • Provide the on-premise credentials in next step and also cloud credentials –
  • Configure OAuth if needed.

Stop Meeting attendee’s from downloading the meeting content – Lync online

Hello Dear readers.. 🙂

I recently came across a unique request and it was for stopping the Meeting attendee’s from downloading the ppt/word files from the Lync online conference when shared – to be precise – as a default option.  User do not want to make changes to the permissions again and again.

Everyone would be already knowing that when you present/upload the meeting docs it is allowed to download by default for all the presenters. But it can be modified to allow only the Organizer.. This is a setting which we could find here..

How to select users to download the file/meeting content.

To keep the focus on what you’re presenting and avoid distractions, you can restrict access to download your presentation. Then at the end of the meeting, you can change the options to let people download the slides to view later.

  1. After you’ve uploaded the presentation in the meeting, pause on the presentation icon, and click Manage Presentable Content.
  2. Click the Permissions menu and choose an option:
  • Organizer Only the person who scheduled the meeting can download the presentation.
  • Presenters Any of the presenters in the meeting can download the presentation.
  • Everyone Anyone in the meeting can download the presentation to their computers.

Now what do we do incase we want only the organizer to download it and no one else by default whenever new meeting content is shared ?

Here is the result of 3 days of hard labour to find a solution –>

Tried to check if this could be achieved through a Registry settings, unfortunately no luck

Checked if there is a conferencing policy which could satisfy my requirement – nothing seems to help

Atlast later i got to know from MS informing that this feature is not available for remembering the settings and couldn’t be achieved..I went ahead and submitted my feed back to Microsoft asking them to introduce this feature in next release..

Cheers 😉

Stop Lync online users from viewing away/idle time –


I would like to put across a new topic in front of you – which would be as below

Description : Whenever a user is idle on his system/log off / or away – Lync client will show the away time or idle time time for the users and what do we do not in order to make sure that it is not visible to other users into the tenant.

Work Around – unfortunately to hide the time details from the lync client or through a conferencing or user policies there isnt any mechanism available, the only thing which is available is a “work around”.  And you would be wondering what is the workaround –

Here it is –

a) Add the contact who is internal in your tenant/for whom you would not like to share your idle/away time – into the lync contacts

b) Right click on the contact and go to the option “Change privacy Relationship”

c) Select the option as “External contacts”

what this does is – for these users for whom you have setup the relationship status as “External Contact” would be able to see only the below details

–> Name/Title/Email Address/ company and Picture in Lync client

you would now be wondering how do we apply this solution working for all of the Lync users into the tenant – answer is, you cannot achieve it due to the product design. you wouldnt be able to make all the users to add each other as “External Contacts” – its too much of hard work for them.

Disabling this feature is available on the Lync Server on premise where as its not available with the Lync online – I’ve shared my feed back to Microsoft on this – hope you would do it too 🙂


Distribution list vs Groups – Office365

Recently i posted a blog on how do we stop/restrict the users from creating a DL through OWA – but when achieving that i came across a question which was something like this –

Question – when we disable the access for users for creation of Distribution list from OWA, does that stop the users from creating groups ? (when i say group – it refers to an option which was recently introduced by Microsoft for collaboration reason and can be created from OWA main page).

I scratched my head for couple of seconds and started my quest for an answer – in order to identify what happens when we create this group (i mean what commandlets does the user initiate when performing this activity..) when i checked the logs onto the Admin audit logs there wasnt any clue of it.. so what is happening in the background ?? 🙂

Here is the answer for it –

The search took me to an understanding that – Both are different & managed by different servers, I Mean in our scenario Distribution Groups are managed by Exchange Online Services & the other groups is used for team collaboration which is Managed by Sharepoint services, Since it is Integrated with Exchange Online to Manage we can see all the options within the Portal.

So disabling through RBAC is not going to disable it in Sharepoint, Hence users still be able to create Sharepoint Groups, However they will have no longer access to create Exchange Online groups under Exchange Control Panel.

The new group feature in OWA is saved in the groups tab in the Office 365 Admin Center, and we can get the group information in Office 365 PowerShell by referring to the steps below:

  1. Connect PowerShell to Office 365 by referring to:
  2. Type “Get-MsolGroup” to retrieve all the groups (including the other distribution group or security group).

At this time, the new group creating operation is managed by the OWA policy. We need to use Exchange PowerShell to enable/disable the feature per our requirements. More details, please refer to:

For the distribution groups in Exchange Online, please refer to: to manage them.

How to restrict users from creating DL in O365


This document describes the process for restricting the users from creating Distribution List (DL’s) in office365.

Users who are migrated into the O365 infrastructure currently have the rights for creating their own distribution groups and also to create, they can also choose any name they like which means a lack of a standard naming convention. This makes it very difficult, time consuming, confusing and frustrating for users to find the correct lists.

Restriction will be laid out only for creation of new DL’s but not for managing the existing DL’s for which the user is owner.


The defined requirements is Allow only approved users to create and delete DL’s

Proposed Solution

User Roles are defined through a Role Based Access Control (RBAC) policy which is pushed or/assigned to every user. These RBAC policies define what actions a user can perform or can be used to restrict certain actions. Modifying the appropriate Role entries from the Management Role would deny the user from creating their own DL’s.

Configuration Steps

Configuration can be setup in 3 parts

a) Creation of new Management Role – MyDistributionGroups as a parent

b) Removing Role Entries which would enable the user to create new-distribution list or remove the distribution list

c) Assign the new Management Role to the RoleAssignment policy

a) Creation of new Management Role – MyDistributionGroups as a parent

Detailed steps:

Connect to O365 Exchange online power shell with admin previlige, and run the following commandlet in order to create the new Management Role

New-ManagementRole -Parent MyDistributionGroups -Name MyDistributionGroupsNoDlCreation

Creation of the ManagementRole on its own would not be sufficient as it will contain the Role Entries for the user to create the new DL , necessary role entries would need to be removed before it is assigned to the users.

b) Removing Role Entries

Role entries are the commandlets which the user has the rights to execute from their profile. In order to deny access for the user, these role entries would need to be removed.

  • new-distributiongroup
  • remove-distributiongroup

The following commandlet when executed will remove both the role entries.

Remove-ManagementRoleEntry MyDistributionGroupsNoDlCreation\new-distributiongroup

Remove-ManagementRoleEntry MyDistributionGroupsNoDlCreation\remove-distributiongroup

After executing the commandlet, it should be verified that the Role Entries for  “add/remove distribution group” are no longer visible in the newly created Management Role.

Neither New-DistributionGroup/Remove-Ditributiongroup commandlet should be visible

 c) Assigning the new Management Role to the RoleAssignment policy

The Management Role can now be assigned to users by executing the following steps..

àGo to Exchange Admin center

àSelect the Permissions tab

àUnder user Role -> open the Role Assignment policy which is assigned to user

àScroll down and uncheck the ‘MyDistributionGroups’ Managementrole and put a check mark on the “MyDistributionGroupNoDlCreation”

àPress Save to complete

Verification step:

To verify, Login to OWA and Select – Options, under the Groups menu – check the + button or delete button are still present.

Roll back procedure:

àGo to Exchange Admin center

àSelect the Permissions tab

àUnder user Role -> open the Role Assignment policy which is assigned to user

àScroll down and uncheck the ‘MyDistributionGroupNoDlCreation‘  Managementrole and put a check mark on the ‘MyDistributionGroups

àPress Save to complete

Hybrid mailbox move error – CommunicationErrorTransientException

Hello All,

I would like to share one interesting issue which we came across recently –

Issue Description : when we try to move 20 mailboxes out of 20 – all except one mailbox completed moving successfully where as another mailbox did not. when we checked the user mailbox moverequest status – mailbox was in locked state.

Symptoms : In order to check the mailbox status, we checked the move status and it was observed that mailbox status was locked and below was the message displayed on the move request.

Status : InProgress
StatusDetail : StalledDueToMailboxLock

Message : Informational: The request has been temporarily postponed because the mailbox is locked. The Microsoft
Exchange Mailbox Replication service will attempt to continue processing the request after XX/XX/XX

Next thing which i did was – pull out the complete report for the moverequest with the report

Get-moverequest -identity <emailaddress> | Get-MoveRequestStatistics | Export-Clixml c:\export.xml

Looked at the xml file and i could see loads of error with the following details

Transient error CommunicationErrorTransientException has occurred. The system will retry

Relinquishing job because the mailbox is locked

There is a problem with the page you are trying to reach and it cannot be displayed

Reason for this issue :

This issue may occur if the on-premises Microsoft Forefront Threat Management Gateway (TMG) server blocks HTTP requests from servers in the Office 365 environment. This occurs because of the flood mitigation feature in the Forefront TMG. This mechanism helps lessen flood attacks.

Solution :

In order to fix this issue, there was a small change needed to be done on the TMG level, here are the steps to follow..

1.Open the Forefront TMG management console, and then, in the tree, click Intrusion Prevention System.
2.Click the Behavioral Intrusion Detection tab, and then click Configure Flood Mitigation Settings.
3.In the Flood Mitigation dialog box, follow these
steps:a.Click the IP Exceptions tab, and then type the IP addresses that the Office 365 environment uses to connect during the mailbox move operation. To view a list of the IP address ranges and URLs that are used by Exchange Online in Office 365, visit the following Microsoft website:

b.Click the Flood Mitigation tab, and then, next to Maximum HTTP Requests per minute per IP address, click Edit. In the Custom limit box, type a number to increase the limit.

Note The custom limit applies to IP addresses that are listed on the IP Exceptions tab. Increase only the custom limit. In the following example screen shot, the custom limit is set to 6,000. Depending on the number of mailboxes that are being moved, this number may not be sufficient. If you still receive the error message, increase the custom limit.

c.Click OK.

Not able to assign new Role Assignment policy – Exchange online -O365

Here is another interesting topic –

I had received a request for creating a new Role Assignment policy and assigning that to all of the users within the tenant.. All went good until the Role Assignment creation and Application – but problem arised when we did the testing if the policy is getting applied to newly created objects..

I had made the new Role Assignment policy as Default, but still it does not get applied – created a new mailbox/shared mailbox it does not get applied to it.. Strange isnt it –

After loads of investigation and headbreaks, it was under stood that in order to assign any Role Assignment policy through out the tenant it has to be assigned the License type.

you may have various plans for Exchange online available with you, in order to pull out the list of Exchange online mailbox plans, run the following commands and copy the plan Alias name.

Get-MailboxPlan | fl alias

Now once you have the Plans with you, run the following command to set the new Role Assignment policy to it..

Set-MailboxPlan -Identity MailboxPlanName -RoleAssignmentPolicy NewRoleAssignmentPolicy

Run the above command against each of the Plans and you should see that newly created mailboxes should get the new Role Assignment Policy applied. And for the mailbox which are already there – a small Foreach script would do the job 🙂


Problem in whiteboard -Lynconline, while saving the whiteboard details

For couple of months now Microsoft had been struggling to make the whiteboard feature to work, but since it has started to work since September there is another issue seen with the whiteboard feature..

Issue Description: when the users use the whiteboard feature and update some details into it and make some changes, and at the end of the meeting when they try to save the information it would not save the complete whiteboard data to the jpg file but instead only part of it..

When this issue was notified to Microsoft it was passed on to Product group for getting it fixed and current update is that Microsoft product group is still working on it and here is the work around which Microsoft is suggesting to use until the issue would get fixed completely.

a) Work Around 1 ->when updating the whiteboard is completed, take a screen capture of that and save it on your computer

b) Work Around 2 -> the user can annotate with any other type (i.e. ink) and place a dot on the bottom right corner of the canvas.  When user(s) trigger the save functionality, it’ll capture everything from to top left corner to the dot, on the bottom right corner.  This way, user(s) will get the full fidelity save

Mean while when MS Product group is busy fixing this issue, use the above work arounds 😉 cheers…!!

Update : MS product team seems to have put the gun down and suggesting to use the work arounds, fixing the issue seems to be lot more cumbersome for them and seems like customers would wait longer amount of time.

Exchange/O365/Optimal IDM or anything related to Messaging ;)