Enabling Windows Live ID creation for On-Premises Mailboxes with Live@EDU
This is an article I’ve been meaning to write for a long time, however actually finding the answer to the problem has always been bottom of my priority list – primarily as no-one had actually asked me if it was possible. So I was quite glad to be challenged by Mike Crowley a couple of weeks ago to come up with a solution.
If you’re reading this and know Office 365, then I’ll take a moment to explain the differences between the way Live@EDU does things and the way Office 365 does it. Exchange Online in both services is pretty much the same – Outlook Live hosted in the same datacentres within the same Exchange Organization. They both synchronize users using the same underlying software, Identity Lifecycle Manager which underpins DirSync and OLSync (the Live@EDU equivalent).
However that’s pretty much where the similarities end. Whilst Office 365 users are synchronised against Microsoft Online Services IDs, Live@EDU users are synchronised against Windows Live IDs.. Yes, the same that are used to login to Messenger, Skydrive etc. Furthermore, unlike Office 365, user passwords are (or usually are, anyway) synchronized from the local Active Directory to the associated Windows Live IDs. That’s very different to Office 365, which relies on ADFS 2.0 to directly use local authentication, preventing passwords needing to be stored outside the local Active Directory.
The Problem
So, what’s the problem I’d been interested in overcoming? Well, OLSync doesn’t create Windows Live IDs (or synchronize passwords) for on-premises mailboxes; it only creates them for mailboxes hosted in Exchange Online.
Instead, it creates Mail Users in Exchange Online that can’t actually be logged on to. In quite a few circumstances, I think that’s a good thing. I don’t like the idea of most users in the organization having their password automatically pushed out to a Windows Live ID.
But (and there is always a but), not everyone has the same security requirements and the convenience of allowing all users – wherever their mailbox is located – access to Live services may be worth the risks. And, if you want to make use of Hybrid Coexistence features in the same way as Office 365 can, like Remote Mailbox moves, automatically creating and synchronizing Windows Live IDs with on-premises Mailboxes makes moving mailboxes back on forth a lot easier.
The Solution
When I was asked how to do this, I was half-convinced it couldn’t be done. I certainly had no intention of re-writing the management agent extension, and from a quick look in the past, didn’t see anything in the configuration and documentation that suggested that it was possible.
So, to cut a long story short, I used the trial of NET Reflector to have a peek inside the DLLs that make up the OLSync management agent and, as it turns out, every time a Mail User is created in Live@EDU for a corresponding On-Premises Mailbox, a flag is checked to see whether it should create a Windows Live ID.
The parameter to set to ensure it does create a Windows Live ID is DisableWLIDOnMailUser, which needs to be set to False in ILM, in the Configure Additional Parameters section of the Exchange Online management agent:
Once that’s set – and the other parameters are correct as per a normal installation, Windows Live IDs will be created for on-premises Mailboxes as they are synchronized.
If this is a new setup, all Mailboxes on-premise that would normally have a Live@EDU Mailuser created will be created with a corresponding Windows Live ID, which should get downlevel password changes the same way normal Live@EDU Mailboxes would from the on-premises Active Directory.
The one caveat is that for existing On-premise Mailboxes / Live@EDU Mailusers that have already been synchronized Windows Live IDs are not created – these need to be manually enabled using the following command:
In the future, this kind of fiddling won’t be neccessary – Office 365 for Education replaces Live@EDU and brings with it the much better ADFS 2.0 integrated Single Sign On and DirSync, which handles rich, hybrid coexistence scenarios a lot better. So I’ll leave you with the full list of optional parameters for you to try out if you are interested in seeing what else OLSync is capable of. Bear in mind though, these are probably unsupported by Microsoft – but could be the solution to something you’ve been trying to do for a while:
public enum ConfigurationParameterName { ClientRetryAttempts, AllowPartialDataImportWithTransientError, DisableWindowsLiveId, FederatedTenant, FederatedIdentitySourceAttribute, FederatedDelegationDomain, FederatedDelegationSourceAttribute, ProvisioningDomain, PasswordFile, FederatedNamespace, ResetPasswordOnNextLogon, NumberOfPages, ClientReportDirectory, DisableWLIDOnMailUser, PreferredDomainController, EnterpriseMode, TargetOU, ForestTrust, EvictLiveIdOnCreate, BypassAdminCountCheck, MVInitialPasswordAttributeName, MVWindowsLiveIdAttributeName, SyncProxyAddressProtocol, SyncGroupAsGroup, NameToDNSuffix, MailboxDeliveryDomain, OutlookLiveX500Sync, ConnectionCleanUpTime }
How to report which Exchange mailboxes group members have full access to
Mailbox access rights in Exchange are easy to assign, however managing them can be a bit of a pain, especially if they are assigned on a per-user basis, or assigned when troubleshooting issues for a user. What would be really useful is the ability to quickly generate a report against a subset of users to check that their access rights fall in line with organisational policies or just to check for any permissions that need revoking.
To help with visibility in this area, I've written a little script that let's you discover this information so you can act on it. Basically, it takes a group of users, then checks all the mailboxes to find out if any of those users have full access rights to mailboxes other than their own, and outputs the results to the console.
So, why did I write this script? Quite simply, to meet a business need - a management requirement to provide a report on what mailboxes the people in the IT department have full access to. However it's not just useful for that - users move around between departments often and while group memberships are routinely updated in most organisations, there's always the off-chance a user's been granted full access to a certain mailbox and that permission hasn't been revoked.
Usage is fairly straightforward. You need to know the group name; after that simply specify it when executing the script:
After execution, the script will expand all the group members (including any in sub-groups), then get all mailboxes. It will compare each mailbox's full access permissions list against those group members and output a result similar to this:
Currently, this is a version 1.1 script. It's aimed at both Exchange 2007 and 2010 at the moment, but I envisage a future version would not only check for other types of permissions set at the mailbox level, but also check for mailbox folder permissions in an Exchange 2010 environment. And, as always your comments and ideas for improvements would be very much appreciated 
# Get mailboxes that one or more members of the specified access have full access permission to
# Helper function to get group members recursively
function Get-GroupMembersRecursive
{
param($Group)
[array]$Members = @()
$Group = Get-Group $Group -ErrorAction SilentlyContinue
if (!$Group)
{
throw "Group not found"
}
foreach ($Member in $Group.Members)
{
if (Get-Group $Member -ErrorAction SilentlyContinue)
{
$Members += Get-GroupMembersRecursive -Group $Member
} else {
$Members += ((get-user $Member.Name).SamAccountName)
}
}
$Members = $Members | Select -Unique
return $Members
}
[array]$Members = @();
$Group = Get-Group $Group -ErrorAction SilentlyContinue;
if (!$Group)
{
throw "Group not found"
}
[array]$Members = Get-GroupMembersRecursive -Group $Group
$Mailboxes = Get-Mailbox -ResultSize Unlimited
foreach ($Mailbox in $Mailboxes)
{
$Result = Get-MailboxPermission $Mailbox | where { ($_.AccessRights -like "*FullAccess*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") }| Select User
[array]$AccessUsers=@()
foreach ($DomUser in $Result)
{
$Found = $false
$DomUser = [String] $DomUser.User
$UserArray = $DomUser.Split("\")
$User = $UserArray[1]
$Domain = $UserArray[0]
foreach ($Member in $Members)
{
if ($Member -eq $User)
{
$AccessUsers += $User
$Found = $true
}
}
if ($Found -eq $false)
{
# Check if the user exists, if not look for a group.
if ($DomUser -ne "")
{
if (!(Get-User $DomUser -ErrorAction SilentlyContinue))
{
$subGroup = Get-Group $DomUser -ErrorAction SilentlyContinue
if ($subGroup)
{
$subMembers = Get-GroupMembersRecursive -Group $subGroup
foreach ($subMember in $subMembers)
{
foreach ($Member in $Members)
{
if ($Member -eq $subMember)
{
$AccessUsers += $Member
}
}
}
}
}
}
}
}
$AccessUsers = $AccessUsers | Select -uniq
if ($AccessUsers.Count)
{
$Output = "These members of ""$($Group.Name)"" have Full Access permissions to Mailbox ""$($Mailbox)"""
Write-Output $Output
$Dashes=$null;
for ($i=0;$i -lt $Output.Length;$i++)
{
$Dashes = $Dashes + "-"
}
Write-Output $Dashes
$AccessUsers
}
}
Download Get-MailboxPermissionsForGroupMembers.zip
Managing Office 365 and On-Premises Exchange 2010 from the same Powershell Session
I've just been reading on Mike Pfeiffer's blog this article about connecting Remote Powershell to Office 365. I've not yet got my beta account on Office 365, but do use Live@EDU/Outlook Live and had been wondering how similar administration is. It turns out that it's exactly the same (even down to the server names) therefore I thought it might be worth sharing a method I've been using for some…
Because there is such a big overlap of cmdlets between your On Premises Exchange 2010 environment and Office 365/Outlook Live, it can be a bit of a pain when you want to write a script that performs actions on both. I've documented how to do this in a previous post, but when you are disconnecting/connecting between environments, it can get pretty confusing. A simple error in a script can mean you create mailboxes in the wrong environment.
The solution is to use the -Prefix parameter when you're connecting to each environment. This means that, for example, Get-Mailbox can appear as Get-OnPremisesMailbox and Get-CloudMailbox. Your scripts can now easily target either environment, or both in the same script and you won't need to keep on checking whether you're performing actions against the local Exchange server or your "cloud" environment.
To demonstrate how simple this is, here's a quick example of connecting to both environments:
$OnPremisesSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.contoso.com/powershell/ -Authentication Kerberos
Import-PSSession $OnPremisesSession -Prefix OnPremises
# Connect to Office 365 / Outlook Live
$CloudCredential=Get-Credential
$CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $CloudCredential -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $CloudSession -Prefix Cloud
This should connect us to both environments and even allow us to combine On Premises and Cloud Powershell cmdlets together. For example, to get a total of all your mailboxes, both On Premises and in Office 365 / Outlook Live:
You can also combine commands via the pipeline. In the next example, we will get all On Premises mail-enabled users that have an External Email Address (eg they are synced using OLSync/DirSync) in our Office 365 / Outlook Live domain, then start a foreach loop (using the % shorthand) and then retrieve details about the mailboxes from Office 365 / Outlook Live:
Finally, a few notes for those who are just starting to play with Office 365 or Outlook Live via Remote Powershell. Firstly, you might need to set your Powershell execution policy (at an elevated command prompt) the first time you connect:
And if you are developing/testing and you find the Get-Credential part above tiresome, you can replace the line with a hard-coded plain text username/password. Be wary of using this in your production environment, due to the security implications of hard-coding an admin password in clear text into a script:
Hope this helps!
Missed Tech Ed Europe 2010? Watch the Exchange Sessions Online Now
This week in Berlin, Germany, TechEd Europe 2010 is taking place. TechEd is Microsoft’s main educational event providing a week of comprehensive training, hands-on labs and a chance to hear about the future of Microsoft products direct from the source.
If (like myself) you’ve been unable to attend TechEd Europe in Berlin this week you’ll be missing out on a number of fantastic Exchange related sessions, covering what’s new in Exchange 2010 SP1, High Availability and Office 365 amongst others.
The good news is that most of these sessions are available to watch online at the Tech Ed website, and also available to download along with the accompanying PowerPoint decks for offline viewing.
For my (and your) convenience, I’ve collated the Exchange and related sessions below and as they are posted online, I’ll keep this article updated.
Update 1: 21:54 11th Nov - Added COS203, COS208-LNC, SIA303 & SIA304
Update 2: 23:07 13th Nov - Added UNC311, UNC401 & UNC 403
Please note – at least for me, the view online links can be a little flaky, but refreshing the page seems to work. The PPT and WMV links are good though.
UNC203 - What's New in Microsoft Exchange Server 2010 SP1? - Scott Schnoll
This session provides details on the many new features and enhancements in Exchange Server 2010 SP1. We’ll start by covering the new pre-requisites for Service Pack 1, the enhancements and changes to setup and deployment, and the choices of permission models. Then we’ll dive into the enhancements in each server role, covering many of more than 75 new features in SP1, such as mailbox audit logging, new IRM functionality, personal archive enhancements and more.
View Online | Download Video | Download PPT | Flickr Photoset
UNC311 - How Outlook connects to Exchange 2010 Client Access Server - Ross Smith IV
The Client Access Server role in Exchange 2010 brings a lot of new features for the end user, but this session will focus on the improvements for the administrator. We will cover what has evolved and what needs to be understood about the following areas: RPC Client Access, Address Book service, client connection behaviors, and load balancing requirements.
View Online | Download Video | Download PPT
UNC308 - Archiving, Retention and Discovery with Microsoft Exchange Server 2010 SP1 - Krish Sundaresan
As the volume of email continues to increase, you are likely to be seeking new and better ways to preserve and discover critical email data to meet an array of IT governance, legal and compliance requirements. To help address these needs, Exchange Server 2010 introduced integrated archiving and discovery capabilities. This session offers a technical overview and demonstration of the features and functionality delivered in Exchange 2010 and SP1.
UNC215-LNC - Exchange 2010 Solutions from HP and Microsoft for Simplified Messaging - Michael Kohs; Tim Doering
Today’s businesses are becoming more and more reliant on email messaging but at the same time, an increasing number of users and mailboxes has lead to uncertainties about the cost and performance of messaging solutions. Learn about HP’s building blocks for building a variety of Exchange implementations, ranging from small and medium sized to large-scale datacenter deployments. With these unique HP building blocks, customers will benefit from: - Increased business efficiency by seamlessly converging the infrastructure stack, using proven industry standard components - Easy setup, management and monitoring using HP’s renowned software suite - Best in class reliability and variety of choices for high-availability solutions - Lower total cost of ownership through savings in floor space, power, cooling and optimized $/GB Learn how only HP can help you to build a high-availability, cost-effective and simple, yet high-performing environment when migrating to Microsoft Exchange 2010.
View Online | Download Video | Download PPT
UNC401 - Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1) - Scott Schnoll
Go far beyond the basics of Exchange High Availability and learn what's really going on under the hood in an Exchange 2010 database availability group (DAG). This session covers key aspects of the inner workings of DAGs, including a deep dive technical discussion on how DAGs rely on quorum and how the DAG witness and witness server are used. You'll also gain a solid understanding of Active Manager and it's best copy selection process. This session also includes details on the continuous replication and database copy management improvements added in SP1.
View Online | Download Video | Download PPT
UNC403 - Native Data Protection in Exchange 2010 SP1 - Ross Smith IV
This session will explain how Exchange 2010 can protect data with features such as mailbox resiliency, single item recovery, and the lagged copy. We will demonstrate how to use Single Item Recovery and Lagged Copies, and look at how these features can replace traditional point-in-time backups for customers, while lowering costs.
View Online | Download Video | Download PPT
COS201 - Office 365: What’s Coming Soon - Jennifer Pisani, Ural Cebeci, Eron Kelly
This session provides a preview of our next generation cloud productivity services, Office 365 (previously known as Business Productivity Online Standard Suite). Office 365 brings together cloud versions of our most trusted email, communication and collaboration software, Exchange Online, SharePoint Online and Lync Online with our familiar Office Professional Plus desktop suite. In this session we will demonstrate how the messaging and collaboration capabilities in now Office 365 has evolved as the latest server technology is deployed in this collection of hosted enterprise software services. Join us for an interactive conversation on the future of productivity and to learn more about Office 365!
View Online | Download Video | Download PPT
COS302 - Office 365: Identity and Access Solutions - Dan Kershaw
This session provides a preview of the identity and access solutions in the next generation of the Business Productivity Online Standard Suite (Office 365). The session will focus on how authentication works for both web apps and rich client apps, how to enable single sign-on (SSO) using corporate AD credentials and AD FS 2.0 to Office 365 services, and the different SSO deployment options for Office 365 services.
View Online | Download Video | Download PPT
UNC204 - BPOS/S Exchange Online - Notes from the field - Neil Johnson
During this session we will take a look at BPOS/S Exchange Online customer deployments in the real world. What problem areas were discovered during the planning, deployment and migration phases and how they were resolved. Also some practical experience of planning for Office 365deployments with Beta customers. This session aims to provide some real world insight into planning for and deploying Exchange Online into your organisation.
COS202 - Microsoft Live@edu: Moving Your School Communication and Collaboration to the Cloud - Ann Vu, David Fisher, Massimo Marzocchi
Moving email to the cloud is a big trend in Education. Lots of schools are also looking at how to leverage cloud solutions for collaboration. Microsoft Live@edu is part of Microsoft's S+S solutions and provides communication and collaboration services for educational institutions at no cost. Join us in this session and become part of a family of thousands of schools that have chosen Live@edu? We outline the current features of a Live@Edu implementation, touching upon key IT and end user scenarios. We also discuss how you can extend Live@edu to best fit your school needs, demonstrate Office Web Apps for the newest release of Microsoft Exchange on the cloud, and provide a sneak preview of where we are headed in the future with SharePoint based collaboration and productivity.
View Online | Download Video | Download PPT
COS203 - Implementing Microsoft Business Productivity Online Standard Suite (BPOS): Planning, Preparation and Migration - Tom Ligon, Philippe Maurent
This session provides guidance for individuals responsible for coordinating and performing customer deployment and migration activities related to migrating customers from their current environment to BPOS-Standard. This session guides attendees through three key deployment project phases: Plan, Prepare, and Migrate, focusing on the tasks handled by partners and customers, and providing a high-level review of tasks handled internally by Microsoft services teams. This session does not cover processes that occur prior to deployment (Sales and Initial Assessment) and post-deployment (Operations).
View Online | Download Video | Download PPT
COS208-LNC - A Walkthrough of the next version of BPOS now called Office 365 - David Anderson
This session will take you through the key features of the future release of the BPOS platform (now called Office 365). We will cover the Onboarding and Administration portals and the new interfaces with Exchange Online, SharePoint Online and Lync, as well as how to access managing users and groups, commerce, mailbox migrations, and support.
SIA303 - Better Together: Mail Protection and Routing Scenarios with FOPE and Office 365 - Cristian Mora, Wendy Wilkes
The next release of FOPE will have new capabilities that not only enable new Office 365 cloud-based application suite and BPOS customers to route mail via FOPE for filtering, but also enable all FOPE customers to configure secure cross-premise hybrid mailflow scenarios that can help customers seamlessly move mail infrastructure to the cloud while maintaining existing investments and configuration. We will present and demonstrate these scenarios and describe the underlying architecture.
View Online | Download Video | Download PPT
SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS - Tejas Patel
Learn about new Exchange 2010 SP1 and Exchange Online IRM capabilities that protect content on premises and in the cloud, using AD RMS.
View Online | Download Video | Download PPT
Keep checking this post for updates, and if there’s any good TechEd Europe 2010 Exchange-related sessions online that I’ve missed, let me know in the comments.
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
Find Me On…
Important Notice
Categories
Recent Posts
- iPhone with Exchange 2010 – Business Integration and Deployment available for pre-order now
- A look back at 2011, and a look forward to 2012
- How to use Multi-Valued Custom Attributes in Exchange 2010 SP2
- Updated – Disabling Auto-mailbox mapping in Exchange 2010
- Updated – Recommended Exchange Reference Material
- Guest Post – How to Improve Your Exchange Performance
Top posts
- Enabling Windows Live ID creation for On-Premises Mailboxes with Live@EDU
- Using the Exchange 2010 SP1 Mailbox Export features for Mass Exports to PST files
- Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
- Generate Exchange Environment Reports using Powershell
- Managing iCal Calendar Sharing with Exchange 2010 SP1 [Updated]
Blogroll
- Aaron Tiensivu's Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Microsoft Messaging and Mobility User Group UK
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- Nuttin but Exchange
- VMlover by Daniel Eason