Wednesday, August 30, 2017

Exchange 2010 / Online - cross organization permissions and access - PART 3

In a previous blog post, we saw a user migrated to Office 365 access a mailbox remaining on-premises (Aisha Bhari accesses Alannah Shaw's mailbox and the Finance shared mailbox). Now I'd like to look at the opposite scenario: an on-premises user accessing mailboxes in O365. So we'll have Alannah Shaw attempt to access the mailbox of Aisha Bhari and the Marketing shared mailbox that we just migrated to O365 (see previous blog post).

Note: in this scenario, we are still granting permissions after the migration. This is not a rule or a best practice. I'm just examining the behavior of cross organization permissions in this scenario. In a future scenario (possibly the next blog post(s)), permissions will have already been set and we'll see how well they transfer to the Cloud.


***


My first question: where should we set the permissions? In the Exchange Management Console (EMC) onsite or in the Exchange admin center in Office 365? Based on my experience in the previous blog post, I would lean toward the latter but let's take a look at the EMC anyway.

In the Exchange On-premises section of the EMC, mailboxes migrated to O365 / Exchange Online are displayed in the "Mail Contact" section of Recipient Configuration as a "Remote User Mailbox" or a "Remote Shared Mailbox":



Unfortunately, management options are very limited. It looks like we can Disable and Remove the mailbox but that is almost all. In particular, we cannot set permissions:




If we go to the Office 365 Recipient Configuration section, the same objects are displayed as mailboxes (with a Discovery Mailbox we do not see in Mail Contacts) and we have the option to manage Full Access permissions but not Send As:




So I think I'll go with the Exchange admin center (EAC) option. Let's see what choices are available in this interface.


After logging into our tenant and opening the EAC, we proceed to recipients | mailboxes where we see the mailbox of Aisha Bhari. We can configure permissions by highlighting the mailbox, clicking on the pencil icon...




And clicking on "mailbox delegation". 




We select Alannah Shaw, then click on add (and then OK):





Alannah Shaw now has Full Access to Aisha Bhari's mailbox. We have a short description explaining that Send As permission must be granted separately:




After clicking "Save", we return to "mailbox delegation":




For shared mailbox configuration, we must go to the section "shared" rather than "mailboxes" even though a shared mailbox is a mailbox also. That's just the way Microsoft arranged the "recipients" subsections. The Marketing mailbox that we migrated to O365 in the last blog post is present:



We click on the " + " sign to grant Alannah Shaw Full Access (under "mailbox delegation"). I will not show each step since they are almost identical to those for granting access to a user mailbox:





If I return to the Exchange 2010 (on-premises) EMC, I can see that Alannah Shaw has received Full Access rights to Aisha Bhari's mailbox:




Now let's see if we can access Aisha's mailbox as Alannah Shaw. As expected (since we do not have Single Sign-On), we are prompted for a password when we attempt to add the mailbox to the Outlook profile (of Alannah Shaw):





Even so, the mailbox is added and we can expand and access the different folders:





We are not so successful with the Marketing shared calendar that we simply cannot open (after waiting a moment and after several attempts - close and reopen Outlook, remove and re-add to profile):



EDIT - several days later I attempt to open the Marketing shared folder again (logged in as Alannah Shaw) and this time, the attempt is successful. I do notice significant latency (several seconds to move from folder to folder) and that may have had some bearing on the initial failure. We should note that the error message above does not indicate insufficient permission ("You do not have the right to access this folder, etc.) but simply the inability to "expand" the folder.

***

All in all, our test user Alannah Shaw can access a user mailbox migrated to O365 (Full Access) and also the migrated shared calendar (Full Access there as well) but only after an initial failure, possibly due to high latency. I should specify that I granted access directly to Alannah Shaw (rather than to a group of which she is a member). At any rate, these permissions were assigned after the mailbox was migrated to O365. In my next blog post, I will have assigned permissions before the migration and will observe to what extent they are retained - and functional - after the migration.



Sunday, August 27, 2017

Exchange 2010 / Online - cross organization permissions and access - PART 2

As stated in my previous blog post, I was going to proceed with some other tests concerning cross organization (or premises) permissions and with a shared mailbox in particular. I was about to migrate such a mailbox but noticed that there was no "New Remote Move Request" option:




On the other hand, we do see such an option for the user mailbox of Alan Reid:



Observant readers will notice that there is still a green arrow icon in front of the shared mailbox icon but no such arrow in front of the icon representing Alan Reid. This arrow indicates that a move request is (or was) in progress and must be cleared (in the Move Request section of Recipient Configuration) before another move request can be made. At first, I had overlooked the green arrow and was asking myself if a special procedure was necessary to move shared mailboxes.

This discussion seemed to indicate there was such a procedure:

In fact, if we clear the request, we can attempt the migration.

However, even then, the migration does not necessarily succeed. Before I realized the nature of the problem above, I attempted the migration of a simple user mailbox. At one point, I encountered the following error (and the migration did, indeed, fail):




Based on previous experiences with migration, I thought this might have to do with the presence of a domain name that was not an accepted domain in my Office 365 tenant (mynet.lan) and I removed the domain in question from the list of email addresses:


Note: you will have to uncheck the "Automatically update e-mail addresses..." option.


Unfortunately, even the removal of the domain mynet.lan did not resolve the problem.


After consulting some Office 365 experts, I learned that the recommended method is to initiate the migration from the destination. So I log into my O365 tenant, go to the recipient | migration section of the "Exchange admin center", click on the " + " sign and select the option "Migrate to Exchange Online":




I select the option "Remote move migration":




Off to the right (not visible in the screenshot above), we have a description of the option:



I select the users that I want to move (clicking "Next" as necessary):





In this case, I'll migrate the "Marketing" shared mailbox (yes, I know it was the Finance mailbox before - I had my reasons for trying this other mailbox instead):



The "Marketing" mailbox is selected:




I confirm the migration endpoint (enter appropriate Url):

 


We name the migration batch and indicate the target delivery domain:




We select a recipient for the migration report and configure the schedule:




We can follow the migration status (Starting, Validating, Syncing, etc.):








When the status is "Synced", we click on "Complete the migration batch":




Status goes from "Completing" to "Completed":






We can review migration details at the end (right pane):





In the Office 365 Admin center (among other places), we can see that the mailbox has been migrated:





***


After updating my information on migration best practices (or at least one aspect), I'm now ready to continue testing more cross organization permission scenarios.


Friday, August 18, 2017

Exchange 2010 / Online - cross organization permissions and access - PART 1

The subject of this blog post is cross organization permissions and access in an Exchange 2010 / Exchange Online hybrid environment. 

For my tests, I am using Exchange 2010 SP3 RU18 and Outlook 2010 SP2. I have the Exchange Online 1 Plan and a working hybrid environment (working to the extent that the hybrid configuration wizard completes successfully each time I run it). 

But first, why use Exchange 2010, a version that is approaching end of life? Because some organizations still use this version and I want to observe how Exchange Online and "Exchange Onsite" interacts in those circumstances.

Moreover, I am not using cached Exchange mode on the Outlook client. Please note: this is not recommended for access to mailboxes migrated to Exchange Online. However, many organizations implement virtual desktops which make the use of cached mode difficult (because of the potentially large .ost files), and especially if the desktops are "non-persistent". One of my objectives (not necessarily addressed in the present text) is to evaluate differences in access time with and without cached mode. I would not think this setting affects permissions in any way but switching to cached mode may be considered.


***


First scenarios: migrated user attempts to access on-premises elements.

  • Access mailbox of another user (still on-premises)
  • Access shared mailbox (on-premises)
  • Access calendar (on-premises)


We have a user named Aisha Bhari whose mailbox has already been migrated to Office 365. At this point, this is the only mailbox on Office 365. Every other mailbox remains on-premises.

We will test these scenarios:

Grant Aisha Bhari Full Permission access to on-premises mailbox of Alannah Shaw

Result: Aisha can add the mailbox but cannot expand the folders:


Note: "Use Cached Exchange Mode" is unchecked.




I attempted the following for troubleshooting:

  • Remove and re-add the mailbox? Still fails.
  • Wait a couple days for permissions to take effect? Still fails.



Grant Aisha Bhari access to the Finance shared mailbox through membership in a security group granted Full Access.

Can she access the shared mailbox?

No



What if we grant her permissions directly (bypassing the security group).

The attempt still fails.


Can Aisha Bhari access the calendar of Alannah Shaw?

She can open the calendar but only after 2-3 attempts.

Usually, on the first attempt, there is a delay when "connecting" and the attempt fails. We have to try until the connection is made, apparently within the timeout limit. This most likely is related to the greater latency when directly accessing mailboxes (and associated calendars) online.

Moreover, we can only see the indication "Busy" on the test meeting (but not even limited details):



Granting more permission has no effect.


Send calendar invite to Aisha Bhari

This fails. I cannot even send the invitation:







So something is not quite right.

I take some further troubleshooting steps.

Various sources indicate that the following updates for Outlook are necessary but it looks like they are already installed or not pertinent:

  • KB2956191 - already installed according to the installer
  • KB2965295 - "There are no products affected by this package installed on the system" according to the installer.
  • KB3114409 - "There are no products affected by this package installed on the system" according to the installer.


I used the Exchange Remote Connectivity Analyzer (EXRCA) which first failed because Outlook Anywhere was not enabled (it had been disabled for testing MAPI/HTTP with Outlook 2010). Once Outlook Anywhere was (re)enabled, the following EXRCA tests passed:
  • Outlook Connectivity
  • Outlook Autodiscover
  • Exchange Web Services

What effect did enabling Outlook Anywhere have on the cross organization permissions and access tested earlier?

At first nothing. Nothing changed and Aisha Bhari could still not access the resources in question.

Some time later, I retried and Aisha Bhari is now able to expand the mailbox of Alannah Shaw in her Outlook profile (Aisha Bhari's profile). In the past, I have observed that new Exchange permissions may need some time (even days) before taking effect. So I thought I would grant Aisha access to another mailbox (that of Alan Reid) and see if she could add it to her profile immediately (within minutes) and that was possible.

Moreover, Aisha is now able to see the meeting details of appointments in Alannah Shaw's calendar.

On the other hand, she still cannot add a shared mailbox or calendar to her profile (or even locate them in the GAL - only users appear).

Also, other users still cannot send her an invitation to view their calendar. Note: she belongs to a group that has "Publishing Editor" rights.

After some additional reflection, I realize the nature of the problem.

I use Azure AD Connect to synchronize users and groups to Office 365. I can see the synchronized users in the Office 365 Admin Center:


  

Because I filtered the objects to be synchronized to Office 365 by organizational unit (OU), only the users in the "ExchangeUsers" OU have been synchronized:




If I select the OU that contains the accounts associated with the shared mailboxes (no screenshot) and force synchronization, the shared mailboxes (and calendars) are now represented in Office 365:



The results are significant.

Aisha Bhari can not only access the mailbox of Alannah Shaw, as already stated...




But she can also open the Finance shared mailbox (now that we have synchronized the associated accounts to Office 365):




Moreover, Aisha can now locate and add the MktCal calendar...



She cannot open this appointment...




But that is due to lack of sufficient permissions rather than a faulty configuration of our hybrid environment:




When Aisha does have "Full Permission", she can view meeting details (in the calendar of Alannah Shaw)...



And in the FinCal calendar:




***

After some adjustments, our migrated user can access another user's mailbox, a shared mailbox and a calendar, all still located on-premises (and provided they have appropriate access rights to these resources of course). There is still much to test. We've looked at "Full Permission" but what about "Send As" and "Send on behalf of"? Also, access was granted after Aisha Bhari was migrated to Office 365. What about an on-premises user who already has access to other mailboxes and calendars? Will the permissions be retained after the migration of their mailbox? Lastly, what about users on-premises that attempt to access resources in the Cloud? These are scenarios that I plan to examine (not neccesarily in that order) in future blog posts.

References:

Understanding Hybrid Deployment Permissions with Exchange 2010 SP3

Exchange Hybrid Cross-Premises Mailbox Permissions Demystified (Part 1)

Outlook Anywhere must be enabled

Run Microsoft Exchange Hybrid for the long haul

At 1:14:00 in the video