Managing Office 365 and On-Premises Exchange 2010 from the same Powershell Session
I've just been reading on Mike Pfeiffer's blog this article about connecting Remote Powershell to Office 365. I've not yet got my beta account on Office 365, but do use Live@EDU/Outlook Live and had been wondering how similar administration is. It turns out that it's exactly the same (even down to the server names) therefore I thought it might be worth sharing a method I've been using for some…
Because there is such a big overlap of cmdlets between your On Premises Exchange 2010 environment and Office 365/Outlook Live, it can be a bit of a pain when you want to write a script that performs actions on both. I've documented how to do this in a previous post, but when you are disconnecting/connecting between environments, it can get pretty confusing. A simple error in a script can mean you create mailboxes in the wrong environment.
The solution is to use the -Prefix parameter when you're connecting to each environment. This means that, for example, Get-Mailbox can appear as Get-OnPremisesMailbox and Get-CloudMailbox. Your scripts can now easily target either environment, or both in the same script and you won't need to keep on checking whether you're performing actions against the local Exchange server or your "cloud" environment.
To demonstrate how simple this is, here's a quick example of connecting to both environments:
$OnPremisesSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.contoso.com/powershell/ -Authentication Kerberos
Import-PSSession $OnPremisesSession -Prefix OnPremises
# Connect to Office 365 / Outlook Live
$CloudCredential=Get-Credential
$CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $CloudCredential -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $CloudSession -Prefix Cloud
This should connect us to both environments and even allow us to combine On Premises and Cloud Powershell cmdlets together. For example, to get a total of all your mailboxes, both On Premises and in Office 365 / Outlook Live:
You can also combine commands via the pipeline. In the next example, we will get all On Premises mail-enabled users that have an External Email Address (eg they are synced using OLSync/DirSync) in our Office 365 / Outlook Live domain, then start a foreach loop (using the % shorthand) and then retrieve details about the mailboxes from Office 365 / Outlook Live:
Finally, a few notes for those who are just starting to play with Office 365 or Outlook Live via Remote Powershell. Firstly, you might need to set your Powershell execution policy (at an elevated command prompt) the first time you connect:
And if you are developing/testing and you find the Get-Credential part above tiresome, you can replace the line with a hard-coded plain text username/password. Be wary of using this in your production environment, due to the security implications of hard-coding an admin password in clear text into a script:
Hope this helps!
Set up Federated Free/Busy and Calendar Sharing between Exchange 2010 SP1 and Outlook Live [Updated]
As organizations move to make use of cloud based services, like Exchange Online or Outlook Live, it’s pretty important to be able to integrate both the on-premises service and the cloud service so that end-users can continue to work as normal. That’s especially important with a service like Outlook Live, aimed at Education institutions, where typically staff, faculty and some students will continue to be hosted on-premise and the majority of students will be hosted in the cloud. A seamless experience makes life easier for users and thus easier for IT…
So, with Outlook Live and Exchange 2010 On-Premises there is a pretty good opportunity to get Exchange working seamlessly between both systems. I’ll be covering a unified login in a further article (once I’ve re-written the code we use in-house into a re-distributable form). But for now, I’m focusing on the user experience with free/busy and calendar sharing.
One of the areas users might expect to 
“just work” is free/busy and calendar sharing between on-premise and cloud. The options are there, it looks like it tries to do it.. But the end user just gets unfriendly error messages and “permission denied” errors. To get this up and running in Exchange 2010 SP1 is actually now pretty simple. Although SP1 allows self-signed certificates for Federation, you cannot use these with Outlook Live federation, and you'll need to perform an extra step. However it's still fairly straightforward…
Pre-requisites
First things first, we need a few things in-place and working already before we can get going. The main pre-req is Autodiscover, but I won’t cover how to set this up, as it's is covered in detail elsewhere on the good old ‘net..
-
Autodiscover working for On-Premises for the domain you want to use (using DNS names, not a service records)
-
Autodiscover working for Outlook Live for the domain you want to use (again, using DNS names, not a service record)
-
Separate domains for on-premises and Outlook Live (I’m testing getting shared working – follow up article to come)
-
Exchange 2010 CAS Connectivity to *.outlook.com
-
Org admin rights on Exchange 2010 SP1 and Tenant Admin rights on Outlook Live, along with Powershell access to both.
-
Access to manage the DNS for both domains and add TXT records.
-
External URL setup and tested for Exchange Web Services / WebServicesVirtualDirectory
Once that’s all setup and available, you should be ready to go..
Setting it up
To keep things simple, we’re not going to do anything too complicated, we’re going to set things up so all users in both on-premises and Outlook Live can see each other’s free/busy and share calendars (and contacts). Also, for the purposes of this article it’s assumed no Sharing Policy is setup already.
On our test setup, we’ve got two domains:
On Premises: rootuk.net
Outlook Live: test.rootuk.net
Basically we need to create four things on-premise:
- A Federation Trust to authenticate us against the MS Federation Gateway
- A new sub-domain ExchangeDelegation for the account namespace (in this example, ExchangeDelegation.rootuk.net)
- An Organization Relationship to say Outlook Live can see in for Free busy
- Finally a Sharing Policy to allow on-premise users to share their calendars with Outlook Live users.
In Outlook Live the trust with MS’s Federation Gateway is there by default so we just need the Organization Relationship to allow On-premise to see in and the Sharing Policy to allow the Outlook Live users to share with On-premise users.
First, we’ll setup the on-premise config, then get the Outlook Live stuff done. Afterwards we’ll test everything works.
On Premises Config
Step One – Setup a New Federation Trust using a trusted certificate [Updated 10th Nov 2010]
To setup a Federation Trust for use with Outlook Live, you need to use a certificate from an approved certificate authority. As this list is quite short, you may find it doesn't include you current SAN/UCC certificate provider (for example, if you use the JANET Certificate Service), however this isn't a major issue. The certificate you use for Federation doesn't have to be the same one you currently use for your other Exchange services, so fear not - you don't need to buy a new, expensive SAN/UCC certificate. I've found the cheapest one from GoDaddy works just fine.
If you've already got a supported certificate, you can skip this part and just use your existing certificate thumbprint for the New-FederationTrust command. Otherwise, to generate a new request for a single domain certificate just to use for Federation, use New-ExchangeCertificate:
Next, follow the standard process for your CA, by requesting, then downloading the certificate from the third party certificate provider:
After downloading the certificate, you now need to complete the certificate request by importing the certificate into Exchange:
Note down the Thumbprint in the output, and then create the Federation Trust using that thumbprint value. Note that we’re choosing the "Legacy Provisioning Service" as part of this process. This is why we can't use a self-signed request – these only work against a new “Business” gateway. Outlook Live currently works against a legacy “Consumer” gateway and the -UseLegacyProvisioningService parameter switches us to use that one.
NB.. You'll see in that example above I got an error the first time. This does happen occasionally and I've seen it reported in forums too. The error is "The request failed with HTTP status 403: Forbidden". Just retrying the command should work.
Next, we need to setup a record in DNS for the application ID using the ExchangeDelegation sub-domain and the main On-Premises domain we wish to use for federation. As of SP1, it's possible to use the "Federated Domain Proof" DNS TXT record, but as we're using the legacy method, we will use the Application ID method.
To add the App ID, you need to add a DNS record that contains your Application ID (shown as "ApplicationIdentifier" in the output from "New-FederationTrust", or by entering "Get-FederationTrust") and enter it in the form "AppID=<yourappid>".
If you use Windows DNS, it goes a little something like this:
Once those are both in, reload/HUP your DNS and make sure you can resolve it, both from your Exchange servers and from the outside world. The following command should work:
Now we’ve got the Federated Trust and DNS record sorted, we can get ourselves properly setup with the Federated Gateway. To do this, we first need to add the accepted domain of the Federated namespace:
Next, we first use the Set-FederatedOrganizationIdentifier command to configure the account namespace:
Finally, add the main domain name of the On Premises domain:
Assuming that completes successfully, we can move onto the next step..
Step Two– Setup the On-Premise Organization Relationship
The next step is to allow our Outlook Live domain to see our On-premise Free/Busy info. You can do this via Powershell or the Exchange Management Console:
Via Powershell:
Test that you can get the federation info for your Outlook Live domain. If you get an error, run the command again with the -Verbose parameter for a detailed error and check your autodiscover setup for Outlook Live:
Next, configure the relationship. The LimitedDetails option below is the most open setting for the relationship, which means any user who has chosen to show that much detail will also make it available to the Outlook Live tenant.
If you'd rather configure via Exchange Management Console:
Navigate to Organization Configuration, and select the Organization Relationships Tab. Right click in the whitespace and choose “New Organization Relationship”:
in the New Organization Relationship window, Give a the new relationship a friendly name (e.g. Outlook Live). Select the checkbok "Enable this organization relationship", then choose to enable free/busy access. Choose “Free/busy access with time, plus subject and location” to select the widest access. This means any user who has chosen to show that much detail (i.e. people can see that on-premise right now) will also share it to Outlook Live.
Next enter the Outlook Live domain in the Automatically discover configuration information text box, and press Next.
Check for any errors, and press Finish. If there are errors, and it isn't a typo, then it’s likely to be an Autodiscover issue - but you'll find out most detail on the possible cause if you use the Powershell instructions above.
The new relationship should now be listed underneath Organization Relationships:
Step 3 – Setup the Sharing Policy
To enable our on-premise users to share their information with Outlook Live users we need a sharing policy setup. While you can setup multiple sharing policies and assign them to different users, for this basic sharing we’re going to modify the default sharing policy
Via Powershell:
First, check your settings. Note down the existing Domains value.
Replace the domains value on the Default Sharing Policy setting the original value (or remove it, if you want) and adding the Outlook Live domain. For the Outlook Live domain we're setting the maximum scope for sharing:
If you'd prefer to configure the sharing policy via the Exchange Management Console:
Navigate to Organization Configuration > Mailbox > Sharing Policies, then right click the Default Sharing Policy, then choose Properties:
In the Default Sharing Policy Properties, choose “Add”, then specify the Outlook Live domain. To allow for the maxium level of detail to be shared by individual users, select the last option “Calendar sharing with free/busy information plus subject, location and body, Contacts sharing:
And that’s it for On-Premise. Next.. We need to get the hosted environment setup with with the corresponding parameters:
Outlook Live Setup
For the Outlook Live setup you have to use Powershell – Exchange Management Shell isn’t supported when managing your hosted tenant. If you’re not sure how to connect Powershell see the guide on the Outlook.com help site, but it basically looks a little like this:
Step 1: Setup the Outlook Live Organization Relationship
We get to miss out the first step that we had to do on-premise, setup of the federation trust, because as a tenant of the outlook.com Exchange environment this has already in place.. So we can skip to getting an organization relationship setup with our on-premise domain.
First, we check that we can indeed discover the correct settings by using the Get-FederationInformation command, specifying the on-premise domain:
The output from the command should show details matching the Organization Identifier and Application URI we setup earlier, along with the details of the on-premise Autodiscover environment.
If it returns a failure you may need to double check your Autodiscover settings for the on-premise environment, or in some cases you may need to give it a little while (if you just setup your Federation Trust on-premise) and try again. For example, in my production environment it took around an hour for my production Outlook Live tenant to be able to discover the Federation Information although my test domains could see the same information without any issues.
So.. After you’ve tested Outlook Live can discover the Federation Information, it’s onto actually creating the Organization Relationship. The command is exactly the same as on-premise,we are really just swapping the domain:
Step 2: Setup the sharing policy
Finally, it’s on to the final step – getting the sharing policy sorted. Check out what the Default Sharing Policy currently is before we go and add our on-premise domain:
Then replace the Domains list for the Default Sharing Policy with a value that includes the on-premise domain. In the example below, I’m keeping the settings that were already there and adding the on-premise domain. For consistency, I'm also keeping the same sharing level as set on-premise:
After that, it should all be done. Give it a little bit of time (say, 15 minutes) for everything to take effect and we should be ready to have a play..
Testing it out
For testing purposes on my two domains, on-premise “rootuk.net” and Outlook Live “test.rootuk.net”, I’ve created test accounts in each –“onpremise@rootuk.net” and “outlooklive@test.rootuk.net”. For the screenshots I’ve used OWA, but it works equally well in Outlook.
The first test is for Free/Busy. I’ve created a few test appointments in both calendars and you’ll see availability works just as if the user was on-premise:
In Outlook Live, scheduling a new meeting with the on-premise user as an attendee:
Next, via on-premise Exchange 2010 SP1, with our Outlook Live user as an attendee this time:
The second test is to check it is possible to share a calendar either way, and this is where it strays slightly away from the full range of options available to users within a single environment.
The limitations we’ve got mean that the user must share the calendar using OWA or Outlook 2010, and must use the “share this calendar” options rather than setting permissions directly. The recipient of the permission must add the calendar using the resulting email (they can’t just add it by name) and it’s read-only. this of course means the process can’t be easily automated, but it does allow users to use a common workflow to share folders, via the “share” options.
Sharing a calendar in Outlook Live:
On-premise user receives the sharing invitation and chooses “Add this calendar” to add it:
After adding the calendar, it’s shown in red (in OWA, anyway) while the server retrieves the calendar:
After a minute or so, the Outlook Live calendar shows up alongside the On-premise calendar:
Finally, let's test it from On-premise to Outlook Live:
Select the Calendar’s “Share” option to share the calendar (it's worth noting that the OWA UI has changed between RTM and SP1.. but I digress):
Over in Outlook Live, the Outlook Live user receives the invitation and again, chooses the “Add this calendar” link:
After choosing to add the calendar, the on-premise calendar shows (again after a minute or so to do the first sync) alongside the Outlook Live calendar:
Contacts sharing is again a similar process, although it must be shared using Outlook 2010. Simply right click a contacts folder and choose Share>Share Contacts:
And that’s it – hopefully this will work for you, but if you have any questions or any issues, just use the comments form below.
Update - 10th November 2010: The original article used the -MetaDataURL parameter to use a self-signed certificate with the old "consumer" gateway. This is no longer valid. The article has been updated to reflect the new process, which requires an acceptable third-party certificate and the -LegacyProvisioningService parameter. If you have used the -MetaDataURL parameter to setup Federated Sharing you should remove and re-create both the organizational relationship (both sides) and the federation trust (on premises) using the updated information in "Step 1" of the On Premises Config. You do not need to remove/re-create the sharing policy.
Update - 15th December 2010: The article has been updated to use ExchangeDelegation.domain.com for the Federated Namespace based on advise from the Exchange team. This is a best practise and pre-req for cross-premises Free/Busy.
Checking for unmanaged Live IDs in Outlook Live
This isn’t a post for everyone – it’s aimed at Administrators of a Live@EDU / Outlook Live environment who are looking to find existing unmanaged EASI IDs / Windows Live IDs on the domain they’ve brought onto Outlook Live.
If you’re using automated provisioning you’ll find this can be a problem as when you use the New-Mailbox cmdlet it will fail, and you’ll have to re-run it with either the –ImportLiveID or –EvictLiveID options. This script allows you to get a CSV input file, with the column Username and generate a list of the status of the Live IDs so you can embark on your batch creation knowing where you stand.
Usage: .\Check-Unmanaged.ps1 -AdminUsername admin@uni.edu -AdminPassword Pa$$w0rd -InputFile .\input.csv -OutputFile .\output.csv
The -AdminUsername is typically you’re Outlook Live admin. It needs to be able to connect to the Windows Live Admin web service .-OutputFile is optional - results are printed to the screen also. For each user in your domains you will see either InUse for managed IDs, InUseUnmanaged for IDs you need to evict/import to use and Available for IDs not in use.
The included DLL, ManageDomain2.dll is required. This is auto-generated from the WSDL. If you wish to generate your own you need Visual Studio 2008 or similar. See the source of the ps1 file for the two-lines you need to re-generate the DLL - it's just a proxy web service library.
(NB. No warranty is provided with this script, it is provided as-is and any damage it may do is your responsibility. Please use on your own test environment first. That said - apart from connecting to the service, the main method used is GetMemberNameState)
Download CheckUnmanaged.zip
Writing Powershell scripts that target Exchange 2007 and 2010
If you’re planning a migration to Exchange 2010 that won’t be completed overnight, you may want to be able to run Exchange Powershell scripts that execute both Exchange 2007 and 2010 cmdlets from the same script. There’s a few reasons for doing this, including:
- If you use logic to determine where to place new user mailboxes, and some mailboxes will be on 2007 and some on 2010.
- If you create new mailboxes on Exchange 2007 and then add the new mailbox to a Exchange 2010 distribution group (for example, if you use moderated distribution groups).
- If you’re using Outlook Live (Live@EDU hosted Exchange 2010) and create MailUsers on-premise and Mailboxes in the hosted environment.
- You are using the Transporter suite to migrate mail and need to create mailboxes on a temporary Exchange 2007 server, migrate mail, and then move mailboxes to Exchange 2010.
OK – so my examples are mostly about provisioning and these are real-life examples of where I’ve used this method, but I’m sure you can think of other examples where it might be useful to you. So – what do you need?
- Exchange 2007 SP2 management tools on any OS that supports them.
- Powershell 2.0
- Remote Powershell enabled on the account you run the script as (using Set-User username –RemotePowerShellEnabled:$true)
You can use this on Windows Server 2003 R2, x86; no Exchange 2010 management tools are required. Enough of what you need – here’s what you need to put in your Powershell scripts to do Exchange 2007/2010:
# Add Exchange 2007. If you'll always run from the Exchange Management Shell, you don't need the next line.Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin# Exchange 2007 Commands Go Here - i.e.Get-MailboxDatabase# Unload Exchange 2007Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin# Create Remote Powershell session with Exchange 2010 - edit the server name in ConnetionUri$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.contoso.com/powershell/ -Authentication KerberosImport-PSSession $Session# Exchange 2010 Commands Go Here - i.e.Get-MailboxDatabase# Unload Exchange 2010Remove-PSSession $Session
If you’re looking to connect to Outlook Live instead of Exchange 2010, simply replace the line beginning “$Session =” with a couple of lines similar to this:
$LiveCred = New-Object System.Management.Automation.PSCredential "yourliveadmin@contoso.edu", (ConvertTo-SecureString "password" -AsPlainText -Force)$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue
Hope this helps!
Steve
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
Find Me On…
Important Notice
Categories
Recent Posts
- iPhone with Exchange 2010 – Business Integration and Deployment available for pre-order now
- A look back at 2011, and a look forward to 2012
- How to use Multi-Valued Custom Attributes in Exchange 2010 SP2
- Updated – Disabling Auto-mailbox mapping in Exchange 2010
- Updated – Recommended Exchange Reference Material
- Guest Post – How to Improve Your Exchange Performance
Top posts
- Managing Office 365 and On-Premises Exchange 2010 from the same Powershell Session
- Using the Exchange 2010 SP1 Mailbox Export features for Mass Exports to PST files
- Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
- Generate Exchange Environment Reports using Powershell
- Managing iCal Calendar Sharing with Exchange 2010 SP1 [Updated]
Blogroll
- Aaron Tiensivu's Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Microsoft Messaging and Mobility User Group UK
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- Nuttin but Exchange
- VMlover by Daniel Eason