Tachytelic.net

E-Mail

Office 365: How to change primary email address when using Dirsync,AADSync or Azure Active Directory Connect

by 2 Comments

It is simple to change the Primary Email Address of an Office 365 user when your tenant is not being synced to your on-premises active directory, but if you are syncing to Office 365 with any of the following tools:

  • Windows Azure Active Directory Sync (DirSync)
  • Azure AD Sync (AADSync)
  • Azure Active Directory Connect

Then you will be unable to change any of email addresses associated with that account, and you will get the following error:

 

The operation on mailbox “Mailbox” failed because it’s out of the current user’s write scope. The action ‘Set-Mailbox’, ‘EmailAddresses’, can’t be performed on the object ‘Mailbox’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Image showing error from Office 365 when trying to change the primary SMTP address for an account that is synced to a local active directory.

How to change the Primary Email Address for an Office 365 account using Active Directory Users and Computers

  1. Open Active Directory Users and Computers
  2. Ensure you have “Advanced Features” enabled from the view menu:
    Image showing how to enable the "Advanced Features" in Active Directory Users and Computers
  3. Double click on the user that you want to edit the email addresses for.
  4. Go to the “Attribute Editor” tab.
  5. Go to the “proxyAddresses” attribute and click edit.
  6. Edit the email addresses as per your requirements. Note that the primary address (which is the address that the user will send emails from) is in uppercase “SMTP”.
    Image showing how to edit the proxyaddresses attribute for an Office 365 user synced to local active directory.

 

How to change the Primary Email Address for an Office 365 account using Powershell

You can perform the same operation using Windows Powershell, the basic syntax is like this:

Set-ADUser paulie -Add @{ProxyAddresses="SMTP:[email protected]"}

The problem with running this command is that you may already have a primary SMTP address set and this will not stop you from adding another one. So first of all run:

get-aduser paulie -properties proxyaddresses | Select-Object Name,ProxyAddresses |fl

This will show you all the current proxy addresses for this user. If you want to remove an existing proxy address you can use:

Set-ADUser paulie -Remove @{ProxyAddresses="smtp:[email protected]"}

It is possible neither of the above methods will work if you have never had Exchange installed locally, as the users will not have these attributes. You can follow the instructions on this page in order to get the attributes enabled for your users.

 

Office 365: How to hide a user from the Global Address List when using Dirsync,AADSync or Azure Active Directory Connect

by 5 Comments

It’s easy to hide a user from the Global Address List(GAL) when your Office 365 tenant is not being synced to your on-premise Active Directory, but if you are syncing to Office 365 which with any of the following tools:

  • Windows Azure Active Directory Sync (DirSync)
  • Azure AD Sync (AADSync)
  • Azure Active Directory Connect

Then you will be unable to hide a user from using the Office 365 Web Interface or PowerShell. From both interfaces you will get the following error:

The operation on mailbox “Paulie” failed because it’s out of the current user’s write scope. The action
‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object ‘Paulie’ because the object
is being synchronized from your on-premises organization. This action should be performed on the object in your
on-premises organization.

From the web interface it will look like this:

Unable to hide mailbox from Office 365 when synced to on-premise active directory

How to hide a user from the Global Address List

So, now that we know that is has to be done on-premise, what needs to be changed and what is the quickest and easiest way to change it?

The active directory property “msExchHideFromAddressLists” property needs to be set to “true” and here are two ways of changing it.

Using ADSI Edit to hide a user from the Global Address List

You can use ADSI Edit and navigate to your user and modify the property “msExchHideFromAddressLists” and simply change it to true. It is quite easy to do, but long winded and awkward.

Using adsiedit to set MsExchHideFromAddressLists to true to hide a user from the Office 365 GAL

Using PowerShell to hide a user from the Global Address List

The same operation as above can be achieved in a single line of Powershell using the Set-User cmdlet. This is a much faster and less error prone method of doing the same operation.

Here is an example:

Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$true}

and to un-hide the user:

Set-ADUser paulie -Replace @{msExchHideFromAddressLists=$false}

It’s really much easier to do in Powershell than ADSI Edit, but either way will work and the next time your AD synchronises with Office 365, the user should be hidden.

msExchHideFromAddressLists property missing from Active Directory?

If you discover that the msExchHideFromAddressLists property does not exist in your local active directory if you have never had a Microsoft Exchange Installed locally:

Image of ADSI Edit showing that the msExchHideFromAddressLists Active Directory property is missing
msExchHideFromAddressLists property missing from Active Directory

It is possible to extend the active directory schema to contain the required Exchange attributes without purchasing or installing Microsoft Exchange server. The easiest way to achieve this is to download the evaluation of Exchange Server 2013 and then:

  • Extract the contents of the download to a folder of your choice.
  • Run “setup.exe /prepareschema /iacceptexchangeserverlicenseterms” as per this screenshot:
    Screenshot of Extending the AD Schema to include Exchange Attributes
  • You should now have the msExchHideFromAddressLists active directory property available:
    msExchHideFromAddressLists property added to active directory by extending schema using Exchange 2013 evaluation

 

To list all users that are hidden from the GAL

Bonus bit of PowerShell – if you want to list all users that are hidden from the GAL, try this:

Get-ADUser -Filter {msExchHideFromAddressLists -eq "TRUE"} |Select-Object UserPrincipalName

 

Setting the primary email address for Office 365 users with PowerShell

by 1 Comment

It is easy to Set the Primary Email Address on Office 365 with PowerShell.

It’s done with the Set-Mailbox cmdlet. The primary address is set by using “SMTP” in uppercase in the email address.

You do have to be slightly careful as using the Set-Mailbox cmdlet to change the primary address will remove all of the other aliases. So if you have any, they must be included with the command.

I have made this process really easy for you (and myself). Enter the details of the mailbox you want to change below and it will generate the required Set-Mailbox command for you to copy and paste into a PowerShell session.

I have also included all the required PowerShell to connect to Office 365 and disconnect again.

Set the Primary Email Address on Office 365 using Powershell

Mailbox Identity:

Primary SMTP Address(e.g. [email protected]):

Additional email Aliases(e.g. [email protected],[email protected]):

PowerShell to Copy/Paste

Using the generated script you will get output like this:

Screenshot showing how to Set the Primary Email Address on Office 365 with Powershell

Set the Primary Email Address on Office 365 when the user is being managed by the local active directory

The instructions above will work if the user that you are attempting to change is cloud managed, but if it is being synced from your local active directory then it will be out of the write scope of Office 365 and it will not work. If that is the case then follow the instructions on this page:

https://www.tachytelic.net/2018/08/office-365-how-to-change-primary-email-address/

Office 365: 550 5.7.1 RESOLVER.RST.AuthRequired when emailing a mail enabled public folder

by Leave a Comment

A recent change in Exchange online seems to have caused a problem with mail enabled public folders receiving messages from people outside of the organisation. It has never been necessary with Office 365/Exchange Online to give create permissions to the anonymous or default users , you could instead set the mail flow settings of the public folder to allow anonymous access.

You may see the following bounce message when sending to a mail enabled public folder:

Delivery has failed to these recipients or groups:

Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery. For more tips to resolve this issue see DSN code 5.7.1 in Exchange Online. If the problem continues contact your help desk.

5.7.1 RESOLVER.RST.AuthRequired; authentication required [Stage: CreateMessage]>’

Of course it is possible and easy to set permissions for the public folder from Outlook to solve this problem, but doing this does not seem to be working for everyone. Some people are reporting success with it, but others not.

Setting the public folder permissions with PowerShell fixes the problem, but I cannot understand why there is a difference.

Setting Offiec 365 Public Folder Permissions with Powershell

In order to fix this problem you have to grant create permissions to anonymous and the default user. The Powershell cmdlet to do this is Add-PublicFolderClientPermission.

After connecting to Office 365 Remote Powershell as described here, you can run the following commands:

Add-PublicFolderClientPermission -identity "\test public folder" -User Anonymous -AccessRights CreateItems
Add-PublicFolderClientPermission -identity "\test public folder" -User Default -AccessRights CreateItems

Once you have added the permission it’s probably best to give it a quick check with:

Get-PublicFolderClientPermission -identity "\test public folder"

Hope this helps.

Office 365: Outlook crashes when sending an email when ESET NOD32 Antivirus is installed

by Leave a Comment

Just a quick post, had a incident today with a user where Outlook 2013 crashed every time they attempted to send an email.

It turned out that this was caused by the ESET NOD32 installation on the machine. Disabling the email integration in NOD32 immediately fixes the problem.

To disable the email integration right click on the NOD32 icon in the notification area to bring up the options screen. Open out the “Web and email” section and then “Email client integration” and then untick the option “Integrate into Microsoft Outlook”

Eset NOD32 options to stop Outlook crashes when sending an email

 

A quick and easy fix to a pain in the arse problem. 😀

How to whitelist domains in Office 365 using Powershell from a text file

by 7 Comments

How to whitelist domains in Office 365

There are plenty of blog posts  out there that explain how to add a mail flow rule in Office 365 to allow you to white list a sender domain, bypassing the 365 spam filtering completely. There is a nice guide on how to achieve that on this blog post by Robert Crane:

White listing a domain in Office 365

I was working with a customer today that had a long list of domains that they wanted to white-list but the Office 365 admin interface does not provide an elegant way to enter the domain list in bulk.

As all of the mail flow functionality presented in the Office 365 web interface is also available in Powershell I wrote a script that would do the job of creating a transport rule based on a simple list from a text file containing email domains.

Creating a Mail Flow rule to handle many trusted domains.

The first step in this process is to create a plain text file with a domain on each line that you would like to white-list. If you enter a full email address the script will strip the part in front of the @symbol and white-list the entire domain.

So your list might look something like:

nicedomain.com
trusteddomain.com
tachytelic.net
accendo.co.uk
[email protected]

The final line in this example of “[email protected]” will be stripped down to “somedomain.com”, I added this because the list I was supplied with contained some full email addresses which the transport rule cannot accept. Each line is also trimmed of white-space to ensure the rule creation is successful.

Once you have your file in place you need to connect to Exchange Online using Remote Powershell. Instructions on how to do that here:

http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

Running Add365SafeDomains.ps1 to create or update a Mail Flow rule using Powershell in Office 365

Once you are connected to Exchange online you can run Add365SafeDomains.ps1. The script expects two parameters, which can be supplied on the command line or omitted and you will be prompted to supply them. An example command might look like this:

.\Add365SafeDomains.ps1 -ruleName "Safe Domain List" -domainListFilePath "c:\domainlist.txt"

or simply

.\Add365SafeDomains.ps1

and you will be prompted for the values as per the below:

Powershell script showing How to whitelist domains in office 365

Specifying a meaningful rule name will allow you to segregate different groups of domains easily.

If you specify a rule name that already exists, the contents of the “SenderDomainIs” property will be loaded into an array and combined with the new list that you have supplied, duplicates are automatically removed and the list is sorted into alphabetical order  for easier readability when using the 365 web portal to review the rule.

If you specify a rule name that does not already exist, then a new rule will be created instead.

The script works by creating an array of domains and supplying that array to the set-TransportRule cmdlet.

So if you have lots of domains that you would like to white-list (or black list with easy modification) then this could be for you.

Here is the code for the script:


Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$ruleName,

[Parameter(Mandatory=$True)]
[string]$domainListFilePath
)

#Read the contents of the text file into an array
$safeDomainList = Get-Content $domainListFilePath

#Create a new array and remove all text for each line up to and including the @ symbol, also remove whitespace
$newSafeDomainList = @()
$newSafeDomainList += foreach ($domain in $safeDomainList)
{
$tmpdomain = $domain -replace “.*@”
$tmpdomain.trim()
}

#If the rule already exists update the existing allowed sender domains, else create a new rule.
if (Get-TransportRule $ruleName -EA SilentlyContinue)
{
“Updating existing rule…”
$safeDomainList = Get-TransportRule $ruleName |select -ExpandProperty SenderDomainIs
$completeList = $safeDomainList + $newSafeDomainList
$completeList = $completeList | select -uniq | sort
set-TransportRule $ruleName -SenderDomainIs $completeList
}
else
{
“Creating new rule…”
$newSafeDomainList = $newSafeDomainList | sort
New-TransportRule $ruleName -SenderDomainIs $newSafeDomainList -SetSCL “-1”
}

You can copy and paste the above into your own Powershell script or download the script here:

Add365SafeDomains.ps1

Enjoy!