Author: Anandan

ComputerCarriage > Articles by: Anandan
Office 365 identity models – Part 2 (Good for Beginners)

Office 365 identity models – Part 2 (Good for Beginners)

Office 365 identity models – Introduction

Choosing the right authentication method for Office 365 looks simple on paper, but when you get down in the weeds and take a closer look you may realize it’s not that easy.Choosing the correct authentication method is the first concern for organizations wanting to move their apps to the cloud.

This is the continuation article for Office 365 identity model. Let us see more about the identity model in this chapter.

How Pass through authentication works

As far we know until today, the best solution form the Microsoft point of view is, to use ADFS to authenticate on-premises users for cloud services such as Azure or Office 365. This is working very well and there are many articles about how to configure the clams etc. can be found in internet and also on my Blog.

However, if a company don’t want to use ADFS for authentication, there is another way Microsoft supports, but it is not so common like the ADFS solution. In this article I want to present an alternative way using AAD with Pass-through.

Please find the whole authentication progress here,

  • The user tries to access an application, for example, Outlook Web App.
  • If the user is not already signed in, the user is redirected to the Azure AD User Sign-in page.
  • The user enters their username and password into the Azure AD sign in page, and then selects the Sign in button.
  • Azure AD, on receiving the request to sign in, places the username and password (encrypted by using a public key) in a queue.
  • An on-premises Authentication Agent retrieves the username and encrypted password from the queue. Note that the Agent doesn’t frequently poll for requests from the queue but retrieves requests over pre-established persistent connection.
  • The agent decrypts the password by using its private key.
  • The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually userPrincipalName, or another attribute configured in Azure AD Connect (known as Alternate ID).
  • The on-premises Active Directory domain controller (DC) evaluates the request and returns the appropriate response (success, failure, password expired, or user locked out) to the agent.
  • The Authentication Agent, in turn, returns this response back to Azure AD.
  • Azure AD evaluates the response and responds to the user as appropriate. For example, Azure AD either signs the user in immediately or requests for Azure Multi-Factor Authentication.
  • If the user sign-in is successful, the user can access the application.

Federated Identity

Federated identity offers some unique security options not available in other scenarios, but it also has the most requirements in terms of server infrastructure to implement. To enable federated identity, you need to deploy Active Directory Federation Services (ADFS) in an on-premise network. A typical deployment would be a two-server farm at separate sites (Azure has an option to add a second site for single datacenter customers). Two additional servers are needed in a DMZ (demilitarized zone, sometimes referred to as perimeter network) to securely publish ADFS to the internet. Once ADFS is in place, federated identity can be enabled with a few PowerShell commands.

Similar to pass-through authentication, user logon attempts are passed back to the ADFS farm to validate against your local active directory. Outlook 2013 or later will leverage modern authentication to communicate with ADFS. Web browsers will get redirected to the ADFS server to complete their authentication. This lets you use what’s called SmartLinks technology to allow users to logon directly to SharePoint online without entering a username or password.

You also have access to security features not available in other scenarios. You can enable client access filtering which lets you restrict access to Microsoft cloud services based on IP address (commonly used for hourly employees that shouldn’t be able to check email from home). You can also integrate with on-premise multi factor authentication servers (although you should be looking at Microsoft Azure options for MFA).


  • Full SSO capabilities in the web browser and Outlook.
  • Advanced security configurations available including the ability to filter connection on source IP address.
  • No need to sync a password hash.
  • ADFS farm can be reused with other cloud services that support SAML.


  • Additional infrastructure requirements.
  • Additional points of failure.
  • Additional cost to setup.
  • SSL certificate from a public CA is required which will require periodic updating.

Refer below Microsoft Link for more details

Back to home

Office 365 Migration Types – Best article for early learners


With the ever-increasing use of cloud computing, more and more businesses are making the switch to Office 365 for its cloud-based communication, collaboration and productivity abilities.Microsoft 365 or Office 365 supports several methods to migrate email, calendar, and contact data from your existing messaging environment to Microsoft 365 or Office 365

In this article we are going to see Office 365 Migration types available for Exchange to o365

Factors to Consider When Choosing an Office 365 Migration Type

When it’s time to choose between Office 365 migration types, below are the factors we need to consider before proceeding,

  • How much time do you need to migrate?
  • How big is your migration budget?
  • How much data do you need to migrate?
  • Which existing email system are you using?
  • Which version of Exchange Server are you using?

Types of migrations

  • Staged migration
  • Hybrid migration
  • Cutover migration
  • IMAP migration

Staged Migration

As the name suggests, staged migration is a method in which the accounts are split into batches before moving to Office 365. This is done over an extended period. Consider using staged migration in the following cases.

  • There are over 2000 mailboxes
  • You are using the legacy Microsoft Exchange Server 2003 or Microsoft Exchange Server 2007
  • You are experiencing unexplained failures while migrating a large number of mailboxes and splitting them into batches improves the chances of success
  • The email migration is complex, and end-users cannot be disrupted with tight deadlines

How to do staged migration in Office 365

  • Synchronize the existing users with Office 365 using AD sync
  • Generate a CSV list of all the accounts to be migrated
  • Create a batch to move email, contacts, and calendar items to Office 365 and convert the existing accounts to Office 365 mailboxes
  • Repeat the last two steps for every batch

Advantages of staged migration in Office 365

  • Maximum flexibility in moving the accounts
  • Minimizes the chances of being stuck with tight deadlines
  • Reduces disruption of major business services for end-users
  • The batch sizes can be managed for optimal performance

Disadvantages of staged migration in Office 365

  • Need to be planned because of the complexity
  • A dedicated administrator has to be actively involved throughout the process
  • Out of Office messages are not migrated with user mailboxes

Hybrid migration

Some organizations might have to retain their on-premises servers while simultaneously moving to the cloud-based Office 365 services. Such a scenario can arise wherein admin wants to manage their AD accounts on on-premise while users can use Office 365 mailbox and services on the cloud.
One of the greatest benefits of MRS-based moves is that we don’t need to recreate Outlook profiles and re-download the OST after migration, because we keep the same ExchangeGuid and mailbox signature of the mailbox when it is moved. With hybrid remote moves, we migrate all the data that is contained in the mailbox and we cannot skip any data (like dumpster or junk folder)

How to do hybrid migration in Office 365

Hybrid migration is a slightly more complicated process and is best outsourced to experts due to the complexities involved. There are several pre-requisites for the hybrid deployment most important of which is the version compatibility of the Exchange servers. The Office 365 subscription must include Azure Active Directory synchronization to support hybrid deployments. Then the appropriate permissions should be available for the deployment. The generic steps for hybrid migration could include:

  • Creation of remote migration endpoints
  • Enabling MRSProxy service for on-premises exchange servers
  • Use remote move migration type for moving on-premises mailboxes to Exchange Online and complete the migration batches
  • Enable offline access for web Outlook
  • Advantages of hybrid migration in Office 365
  • Secure connection between on-premises and Office 365 accounts
  • Shared domain name, calendar, username and password for both accounts
  • Integrated control for on-premises and Office 365 accounts
  • Message tracking, MailTips, and multi-mailbox search features for both accounts
  • Office 365 archiving features extensibility to on-premises Exchange mailboxes
  • Free/busy information sharing is possible both ways.

Disadvantages of hybrid migration in Office 365

  • Creates avoidable complications due to the concurrent existence of mailboxes
  • Necessity to use Azure Active Directory and Office 365 password syncing
  • Compulsion to keep the legacy Exchange servers active for longer periods

Cutover migration

A cutover migration is the simplest method to move mailboxes to Office 365. It is similar to staged migration except for the fact that all mailboxes are moved at once. Needless to say, the number and size of mailboxes are significantly smaller while opting for cutover migration.

How to do cutover migration in Office 365

  • Create a security group in Office 365 for the new mailboxes
  • Connect the servers of the existing system with Office 365
  • Move mailbox items to Office 365
  • Re-route incoming mails by changing DNS records
  • Confirm migration completion

Advantages of cutover migration in Office 365

  • One of the simplest migration types available
  • Can be done within a few days
  • Compatibility with legacy Exchange servers starting with Exchange 2003
  • No need for syncing passwords
  • Distribution groups, contacts, and other items are also migrated

Disadvantages of cutover migration in Office 365

  • Less flexibility in terms of selectively moving objects and mailboxes
  • Extensive manual configuration requirements on individual desktops
  • No Azure Active Directory synchronization between on-premises servers and Office 365

IMAP Migration

While the other three Office 365 migration types depend solely on Exchange, an IMAP (Internet Message Access Protocol) migration allows you to transition users from Gmail or any other email system that supports IMAP migration.

An IMAP migration pulls information from your source mailboxes and hands it over to Office 365. However, IMAP migration doesn’t transition anything other than email. Calendar items, tasks and contacts all stay in the original inbox and have to be migrated manually by the user.

You’ll also have to create a mailbox for each user before initiating the email migration – something other migration types automatically create for you.

IMAP migrations have a limit of 50,000 total mailboxes and 5,000,000 items. And once the migration is complete, any new mail sent to the original mailbox won’t be migrated.

Disadvantages of IMAP migration in Office 365

  • You can only migrate items in a user’s inbox or other mail folders. This type of migration doesn’t migrate contacts, calendar items, or tasks.
  • You can migrate a maximum of 500,000 items from a user’s mailbox (emails are migrated from newest to oldest).
  • The biggest email you can migrate is 35 MB.
  • If you limited the connections to your source email system, it’s a good idea to increase them to improve migration performance. Common connection limits include client/server total connections, per-user connections, and IP address connections on either the server or the firewall.

Microsoft reference URL

Back to Home

Compress and Archive IIS logs using PS Script

Compress and Archive IIS logs using PS Script

The low disks space may lead to cause service outage to the customer if that unnoticed.
As we know most of the disk space gets occupied by log files and that could be any log files on windows or third party application running on windows.

Exchange servers can consume lot of IIS log files over time.As a best practice administrators configure IIS to store logs on a different disk to avoid problems, rest will wait for free disk space alerts and manually remove old logs from time to time.

Knowledge Transition – Quick Guide for Microsoft 365 ( Part 2 )

Knowledge Transition – Continuation from Part1

Lets we continue to see more topics on knowledge transition for O365.

This part 2 guide will be helpful when you are scheduling the Knowledge Transition from other company when the support contract moving away from them to your organization.

The below Knowledge Transition questionnaires will help you to understand the environment of the customer once it answered.

General Exchange Application Environment

  • What are the Office 365 feature implemented Exchange\SharePoint\Lync\Yammer\Office365Pro?
  • Mailbox quota and Storage limit quota is default in office 365 or customized?
  • Journaling being applied on any mailboxes?
  • Contacts directly create on office 365?
  • Address book contain multiple domain users?

Backup/Restore Policy

  • Supporting mailbox restore for individual mailbox?
  • End user email restore documented or training conducted?


  • Is incident management in Scope
  • Is Problem Management in Scope
  • Is change management in scope
  • Which kind of changes need customer approval and which ones do not need?
  • Incident Queue details
  • Change Queue details
  • Contact person details for change management process
  • Current ongoing issues / workarounds
  • Process to create a mailbox
  • Process to create Distribution Group & Security Group
  • Process to create shared/resource mailbox
  • Process to change user’s UPN
  • Process for password reset
  • Process to provide mailbox access or calendar access permissions
  • Process to provide mailbox access or calendar access permissions on a user mailbox that doesn’t exist in the Org.

Business continuity

  • Multiple Directory synchronization available?
  • Multiple ADFS available?


  • Is there any kind of report that needs to be prepared?
  • If the answer is yes, how is it done? Manually or automatically? What is covered in the report?
  • How frequently we need to provide such reports (Monthly/weekly)?

List of documents required to validate

  • Licence Details
  • Attachment blacklist
  • Microsoft escalation & contact details
  • Last 3 Month ticekt details
  • Script for Reporting
  • OWA,ActiveSync,Retention policy details
  • SLA details
knowledge transition

Refer link for Deployment planning checklist for Microsoft 365

Knowledge Transition Quick Guide for Microsoft 365 ( Part 1 )

Knowledge management is the process of capturing distributing and effectively using/reusing knowledge

In this article we will take a look at about the Knowledge transition questionnaires for Microsoft 365.
This guide will be helpful when you are scheduling the Knowledge Transition from other company when the support contract moving away from them to your organization.

Exchange 2013 Cumulative Update installation Best Practices – Part 2

This article will continue demonstrate the remaining step by step installation procedure for installing cumulative update for Exchange 2013 DAG

Cumulative Update

Send & Receive connectors configuration Backup

Once you done with the exchange virtual directories backup as mentioned in the part 1 make sure to export the configuration of Send & receive connectors . This result will help you to refer in case any mismatch occur in send & receive connector configuration post CU upgrade

Open exchange PowerShell and run the following commands to take the send and receive connector backups,

$FormatEnumerationLimit =-1

Get-sendConnector | fl | Format-List | Out-File “C:\sendconnector.txt”

Get-ReceiveConnector -Server | fl | Format-List | Out-File “C:\erver1_Receiveconnector.txt”

Disable Services

Prior to cumulative update upgrade disable third party and below services.This will help you to upgrade the cumulative update smoothly

  • BES Client
  • Antivirus services
  • Monitoring appplication services
  • Qualys Cloud Agent
  • SplunkUniversalForwarder
  • Scan mail for Exchange
  • Backup Services ( Data Protector , Netbackup )

OWA Customization Backup

In case if your organization / customer customized their owa page then you have to take the backup of owa theme from the following path

c:\program files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1365\themes)

Certificate Revocation

Starting with IE 7.0, server certificate revocation checking is enabled by default.You can disable this feature by clicking Internet Options on the Tools menu, selecting the Advanced tab, and uncheck the Check for server certificate revocation check box as shown in the figure. You need to restart IE in order for this setting to take effect.

Disabling the revocation check in production environments isn’t recommended, so you must make sure to enable it again after cumulative update upgrade. Certificate revocation checking protects your clients against the use of invalid server authentication certificates either because they have expired or because they were revoked (e.g., when a server certificate was compromised).

certificate revocation
certificate revocation

Execution Policy

By default execution policy is Unrestricted. In case your organization configured the execution policy to RemoteSigned or Restricted then make sure to set the value to Unrestricted by using the following command

Set-ExecutionPolicy Unrestricted

Make sure to revert back the value to original once the cumulative update is over

Upgrade cumulative update

You can download the cumulative update from Microsoft download center.In this article i am going to show you how to upgrade cumulative update 23 .You can download the cumulative update 23 from the below given link

Once the cumulative update downloaded you can extract the file in to the separate folder.

Cumulative updates and Service Packs should be installed in the internet-facing site first, before installing in other sites in the organization.

  • The first servers to be updated in a site are the Mailbox servers.
  • The Client Access servers are updated second.
  • Edge Transport servers can be updated last.

Now the scenario we are going to see is upgrading the cumulative update on multi role server ( Mailbox , CAS & HUB ) infrastructure

So before start the upgrade, put the server in to the maintenance mode by manual or inbuilt script. Here we are going to use the inbuilt script to put the server in to maintenance mode

The entire process can be done from the Exchange Shell.

To start open EMS and go to:

C:\programs files\micrsoft\exchange server\v15\scripts

In the first step we put the first Exchange server In the DAG Into maintenance mode by typing the cmdlet below:

C:\programs files\micrsoft\exchange server\v15\scripts>.\StartDagServerMaintenance.ps1 –servername Server1

Once run all DBs will move to the second Exchange server

To verify that the server is In maintenance mode type:

Get-databaseavailabilitygroup –status | fl name, server*

DAG Maintenance

Cumulative updates can be applied using either the command line or graphical setup whichever you prefer.Follow the pre-installation processes outlined earlier in this article.

Do not run the upgrade from the Exchange Management Shell as this will cause it to fail due to locked files.
Run the upgrade from an elevated command prompt.

Upgrading Using the Command Line

In an elevated command prompt run the following command from the location where you extracted the cumulative update files.

Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

The command prompt window will display the progress as the upgrade proceeds.


After the cumulative update has been install restart the server once prompted to do so.

If you had placed the server into maintenance mode then you can run the inbuilt script for stopping maintenance mode after the installation is finished

C:\programs files\micrsoft\exchange server\v15\scripts>.\stopDagServerMaintenance.ps1 –servername Server1

Once the cumulative update completed on all servers you can use the in built RedistributeActiveDatabases.ps1 script to redistribute the database based on activation preference

.\RedistributeActiveDatabases.ps1 –DagName DAG1 –BalanceDBsByActivationPreference –Confirm:$false

To verify and confirm the exchange build number post cumulative upgrade you can run the below command to list down for all servers as shown below

$servers=get-exchangeserver -identity servername*
$servers | foreach { Invoke-Command -ComputerName $ -ScriptBlock {Get-Command Exsetup.exe | ForEach-Object {$_.FileversionInfo} } }

Cumulative upgrade 23

Note : Above is the product version of Cumulative update 23 and Security Update For Exchange Server 2013 CU23 (KB4536988)

Exchange 2013 Cumulative Update installation Best Practices – Part 1

Exchange 2013 Cumulative Update installation Best Practices – Part 1

This article will demonstrate the step by step installation procedure for installing cumulative update for Exchange 2013 DAG

Microsoft support policy on CU:

Microsoft will support last two cumulative update updates, so currently they will support cumulative updates 22 & 23 . The cumulative updates will get released every 3 to 6 months once.

Below are the best practices which needs to be considers before the CU upgrade

  • Make sure to install & test the CU update in the DEV / Test environment before into the production
  • If you don’t have dev / test environment, consider to waiting for a week or two from the date of CU release before installing the update into production
  • Make sure to have a good exchange & AD full back up before the upgrade
  • Backup if any customized configuration exists in the environment (Like any customization done in owa theme)
  • Backup all virtual directory configurations
  • If the cumulative update requires active directory schema update, please make sure you have the required rights / permission for your account
  • As a best practice always run the schema update from the domain controller not from the exchange server
  • Make sure to deselect “Check for Publisher’s certificate” and “Check for server certificate revocation”, from Internet Explorer -> Internet Options, Advanced tab, Security options
  • Disable antivirus software & services
  • Disable backup services to make sure no backup running during the time of cumulative update
  • Always make sure to run the cumulative update from the elevated command prompt
  • Download the CU from Microsoft download center and extract the downloaded file
  • Put the DAG member into maintenance mode (if required)
  • Upgrade active directory schema (if required)
  • Install the CU update
  • Take out the DAG members from maintenance mode
  • Reboot the servers before and after cumulative upgrade for smoother upgrade
  • Make sure to do the required server health checks and end to end client post checks after the CU upgrade.
  • As part of prerequisite if the version Cumulative update requires .Net Framework version to get updated then make sure the required version of .Net frame work updated in exchange servers as well as the Domain controller from where you are updating the schema.

Here is the wiki link for Microsoft to verify the CU built number and link for download the CU`s

Exchange 2013

Cumulative Update

Configuration Backup

You can use the following command to take the configuration backup of your environment especially virtual directories, which will help you in case if any configuration mismatch occur post CU upgrade

  • Get-OwaVirtualDirectory -Server | fl > owavirdir.txt
  • Get-EcpVirtualDirectory -Server | fl > ecpvirdir.txt
  • Get-ActiveSyncVirtualDirectory -Server | fl > ASvirdir.txt
  • Get-WebServicesVirtualDirectory -Server | fl > Webservvirdir.txt
  • Get-OabVirtualDirectory -Server | fl > oabvirdir.txt
  • Get-MapiVirtualDirectory -Server | fl > mapivirdir.txt
  • Get-OutlookAnywhere -Server | fl > outlookanywhere.txt
  • Get-ClientAccessServer -Identity | fl > CAS_Server.txt
  • Get-mailboxServer -Identity | fl > MBX_Server.txt
  • Get-transportServer -Identity | fl > Transport_Server.txt

Active Directory Schema Update

As mentioned earlier some cumulative update versions does required to update the active directory schema before actual exchange CU update

For Exchange 2013 , you can refer the below link for Exchange 2013 objects in Active Directory that get updated each time you install a new version of Exchange 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation

For Exchange 2013 CU update , below objects in Active Directory that get updated from the previous version

You can use the following commands to verify the object version and range Upper value in your environment before and after the schema update

  • Get-ADObject -Identity “CN=ms-Exch-Schema-Version-Pt,CN=schema,CN=configuration,DC=contoso,DC=net” -properties rangeUpper | select rangeUpper | format-List
  • Get-ADObject -Identity “CN=sternauto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=net” -properties objectVersion | select objectVersion | Format-List
  • Get-ADObject -Identity “CN=sternauto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=net” -properties msExchProductId | select msExchProductId | Format-List
  • $RootDSE= ([ADSI]””).distinguishedName

([ADSI]”LDAP://CN=Microsoft Exchange System Objects,$RootDSE”).objectVersion

Below is the sample object version and range update value of the environment which captured before CU 23 upgrade

Cumulative Update

You can find the remaining procedure for cumulative update in Exchange 2013 Cumulative Update installation Best Practices – Part 2