Disable Exchange Mailbox Protocols via PowerShell Script

Many companies limit the ability of some of their users (but not all of them) to leverage all of the default protocols enabled for accessing a mailbox in Office 365/Exchange Online while still allow them to connect with Outlook via MAPI.

Unfortunately, it’s not possible to create an OWA profile or a POP profile, for example, that enables/disables the protocols for any user to which its assigned. Therefore, administrators must disable these protocols for each individual user at the CASMailbox-level.

To help alleviate this, I’ve created a script that leverages security groups in Azure AD (and on-premises AD if they are synchronized via DirSync) as a way to indicate which users should be allowed the use of a certain protocol.

By default, the script will assume your groups are named as listed below, but you could use any group name you want and feed that to the script via a command-line parameter.

  • Office365-AllowActiveSync
  • Office365-AllowOWA-Device
  • Office365-AllowIMAP
  • Office365-AllowPOP

When run, the script will disable the protocols for ANY user who is NOT a member of the above referenced groups.

This script also leverages my WriteTo-Log function so that a running log can be generated keeping track of each change made to each user’s mailbox for auditing purposes.

Finally, there are optional command-line parameters (-From, -To, -SMTPServer) that can be used to ensure the log is emailed to an address of your choice after completing.

You can download the script here.


Update Send Connector SSL Certificate for Hybrid Configuration

​Recently had a customer with an Exchange 2013 Hybrid config require updating an expired SSL certificate.  When they imported the new certificate and assigned it SMTP services, mail flow from on-premises to Office 365 stopped.

This was because the on-premises send connector to Office 365 was still configured to look for that expired certificate (which had also been deleted already).

The fix was to perform the following:

  1. Open Exchange Management Shell on the on-premises Exchange server
  2. Run Get-ExchangeCertificate, and note the Thumbprint of the correct certificate to be used. 
  3. Run $cert = Get-ExchangeCertificate -Thumbprint <thumbprint>
  4. Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
    $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
  5. Update the send connector with the new values
    Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert

After completing this, any queued mail destined for the Office 365 tenant should begin flowing

Determine Office 365 Public Folder Hierarchy Limit

​Last month, in June 2014, the Exchange Team announced that Office 365 would soon have the public folder hierarchy folder count limit raised from 10,000 folders to 100,000 folders.  This limit increase would begin to take effect in July, 2014.

But how can you tell what your tenant’s current folder count limit is?

  1. Open a remote PowerShell session to your Office 365 tenant
  2. Run the following command:
    Get-Mailbox -PublicFolder | Get-MailboxStatistics | fl FolderHierarchy*

The command will return the following results:

FolderHierarchyChildrenCountWarningQuota : 9000
FolderHierarchyChildrenCountReceiveQuota : 10000

FolderHierarchyDepthWarningQuota         : 250
FolderHierarchyDepthReceiveQuota         : 300

Once the FolderHierarchyChildrenCountReceiveQuota is raised to 100000, you’ll know your tenant has been updated.

If your tenant does not have a public folder mailbox created yet, you can run the command without the -PublicFolder parameter and replace it with any mailbox identity.

Solution: Unable to update Active Directory information for the source mailbox at the end of the move

This scenario applies to hybrid configurations when moving mailboxes from on-premises to Office 365.

Whenever you see the error in the migration log that says “Unable to update Active Directory information for the source mailbox at the end of the move” it means that when the mailbox move completed, MRS could not disable the mailbox on the on-premises Exchange server and then RemoteMailbox-enable the user account as a cloud mailbox.

This results in two mailboxes – the original one on-premises and the new one in the cloud. However, the on-premises mailbox is inaccessible and autodiscover gets invalid information to setup the outlook profile.

To resolve this, perform these steps manually on the on-premises Exchange server in the Exchange Management Shell:

  1. Disable-Mailbox <alias>
  2. Enable-RemoteMailbox –Identity <alias> -PrimarySmtpAddress alias@contoso.com –RemoteRoutingAddress alias@TenantName.mail.onmicrosoft.com
  3. Wait for (or force) AD replication, then manually force a DirSync

#Office365 Increases Storage Quotas for Email and SkyDrive Pro

The second half of 2013 has kicked off with a bang for Office 365.  Microsoft recently increased storage quotas for both Exchange Online mailboxes and SkyDrive Pro storage.  Some of these new limits are a welcome change.  Others leave me – well – meh!

Exchange Online

User mailboxes in Exchange Online have doubled in size from a 25GB storage limit to 50GB.  Shared Mailboxes and Resource Mailboxes have also doubled in size from 5GB to 10GB.  This is most likely a result of Microsoft having completed the majority of Office 365 tenant upgrades to the Wave 15 version of the product suites. 

As any Exchange administrator knows from experience – the more storage you have, the more performance requirements you have.  Exchange 2013 (part of Wave 15) has significantly improved storage performance over Exchange 2010.  With most tenants now on Wave 15 technology, Microsoft can begin offering larger storage quotas without the extra processing power overhead and expense to support it.

This is in contrast to Google Apps which gives users 30GB of storage shared across Gmail, Google Docs and Picasa Web Albums.

And this is where I’m left with that ‘meh’ feeling. 

My own mailbox rarely gets over 2 GB in size.  This is because I manage my storage by saving attachments to SharePoint or SkyDrive or a hard drive somewhere instead of using my mailbox as a file storeage management system.  I suspect most other users are the same way.  So this offer to have 50GB of mailbox storage will – in my mind – go mostly unused.  It’s a great marketing tool for competing against Google.

The table below shows the various new Exchange Online storage limits based on license plan.  More detailed info can be found here.


SkyDrive Pro

SkyDrive Pro storage quotas have been a sticking point with users for quite a while.  When first released back in February 2013, SkyDrive Pro quotas were set at 7GB and could not be increased.  Considering a consumer SkyDrive account offered the ability to purchase additional storage above the default 7GB, this didn’t make much sense and many users who needed the additonal storage were forced to find it elsewhere.

Now, SkyDrive Pro users get 25GB storage limits by default, and this limit can be increased to either 50GB or 100GB.  This makes using SkyDrive Pro much more realistic for many users – myself included.

Microsoft also introducted a new feature in SkyDrive Pro called “Shared with me”.  Users will now see a new link in their SkyDrive Pro account in the browser that when clicked, summarizes all the documents that users have shared with them in one place.  This will make collaboration and organization of documents much easier for users.