Welcome to 365 Admin - Office 365 Administration for Beginners



Office 365 Administration can be overwhelming for a beginner. The preparation and configuration of your admin PC can be a challenge if you aren't aware of what you need to install to manage the cloud effectively. Plus it is important to be aware of limitations in your browser when you are administering multiple Office 365 tenants.

There are multitudes of technical blogs for the advanced Office 365 administrator, but nothing focused on beginners. It is for this reason I have created this blog, to guide Office 365 Administrators through all the challenges that beginners will face.

Everything you need to become a competent Office 365 Administrator is here, all in one place.

My mission in this technical blog is to provide tips, tutorials and scripts to the professional IT community, with particular focus on helping newcomers with little real world experience in Office 365.

In this blog, I will be publishing Tutorials to help you quickly create powerful scripts to manage your environment, whether it is 5 users or 500,000 users. These tutorials also cover MFA (Multi-Factor Authentication as well as Hybrid Office 365 environments.

This content will cater for various environments from small businesses with a cloud only presence to Enterprise hybrid environments managing hundreds of thousands of mailboxes.

I hope this blog helps on your journey into the world of Office 365.

Tutorials - by subject
*** Complete list of all my tutorials - Link
Hybrid Administration tutorials - Link
MFA (Multi-Factor Authentication) Tutorials -Link
Enterprise Management - Link

PowerShell Script Repository -
Microsoft TechNet Gallery - Link

PowerShell Script Downloads - 
All my PowerShell TechNet Downloads - Link

Linked-In - Link

About Me - Link

Complete list of all my tutorials



Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Office 365 Migrations
How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link

All Hybrid Administration Tutorials
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link
- How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link

All Modern Authentication and MFA (Multi-Factor Authentication) Tutorials
- All my MFA Tutorials on one page - Link
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

Security
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link

Daily Administration and Reports 
How to create a basic document of the Exchange Online environment - Link
How to document the local Exchange Organization for As Built documents and auditing - Link
PowerShell scripts to report on Mailbox permissions in Exchange Online and Exchange On-Prem - Link

Enterprise Management
- How to manage Enterprise environments - Part 1 - Filtering queries - Link
- How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
- How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

PowerShell
- How to create basic PowerShell scripts - Link
- How to create basic PowerShell scripts with Export-CSV - Link
- How to create basic PowerShell scripts with Import-CSV - Link
- PowerShell modules and resources for Office 365 - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to use Chrome browser for concurrent multiple connections to different Office 365 tenancies- Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link
PowerShell modules and resources for Office 365 - Link

How to get a 180 day trial tenant in Office 365 for testing



30 day trials just aren't long enough, especially if you are testing a Hybrid configuration.

One of the biggest frustrations for Office 365 Administrators who are trying to learn this awesome technology, is that trial tenants expire after 30 days. This is annoying if you have a cloud only trial environment, but what if you are testing a Local - Hybrid Exchange environment that has taken weeks to configure. It is simply too much effort to create a new trial E3 tenant from scratch, remove your domain from the expired tenant, and then configure your new tenant with domains, users, data, and re-configuring the Hybrid Connection Wizard to continue after the initial 30 day trial.

----- What if I told you that you could get a 180 day free trial on Office 365 -----

Most people know that you can extend your existing Office 365 E3 trial for another 30 days, but did you know you can further extend your existing test environment by assigning an E5 trial, and then extending that? This would give you a total of 120 days testing. After that, you can then assign an Office 365 Business Premium  trial license and extend that as well, giving you a total of 180 days free testing.

By utilising the three Office 365 trials with Exchange Online and extending them, you will get a total of 180 days of free Exchange Online testing.

So how does this work in the real world?

My original 30 day E3 trial expired just over a month ago, and I extended it for another 30 days, using this process.
How to extend your Office 365 Trial - Link

The extended period has just expired as well. Rather than get all upset about having to recreate a new tenant and deprovision the old tenant, I started investigating to see if I was able to assign a trial E5 license to my about to expire (extended) E3 license. And it worked !!!

I am now in my third month of my Office 365 trial. I have spent countless hours over the last three months creating and configuring an Office 365 - Hybrid test environment, and it is re-assuring to know that I do not need deprovision my old tenant and create a new one to keep testing.

Follow the processes below to  create - extend your Office 365 tenant for a total of six months - 

--------------------------------------------------------------------------------------------

Sign up and create your tenant with an E3 license if you haven't already done it -

First thing we need to do is sign up for a standard Office 365 E3 trial. Browse to this web page -
Office 365 Enterprise E3 Trial - Link - And sign up for your E3 trial.
Fill in your personal details making sure that you enter your valid email and international mobile number.

At the Create your user ID page, select your username and tenant name. Note that your tenant name must be unique and cannot be changed once created.









Use your mobile for verification, and voila - You have just created a test tenant with an Office 365 E3 subscription.

Once you log into the Office 365 portal, go to Billing - Subscriptions -



.








You will see that you have an active Office 365 Enterprise E3 trial with 25 licenses available.











------------------------------------------------------------------------------

At the end of your 30 day trial (Enterprise E3) - Extend your trial
How to extend your Office 365 Trial - Link

------------------------------------------------------------------------------

At the end of trial extension - Add a new subscription for a different 30 day trial
- Note that you can actually mix Business Premium Trial and Enterprise E3 Trial
- In the steps below, I am adding an Enterprise E5 trial

To add a new subscription, click on - Add Subscriptions -






You will now be able to add extra subscriptions.

Under the Purchase Services - Enterprise Suite - Highlight Office 365 Enterprise E5 - Start Free Trial











Under Checkout - Confirm your order - Click 'Try Now'













Continue -

Assign your new licences to your existing users and you will extend the subscription by 30 days.

------------------------------------------------------------------------------

At the end of your second 30 day trial (Small Business Suite) - Extend your trial
How to extend your Office 365 Trial - Link

------------------------------------------------------------------------------

At the end of your second trial extension - Add a new subscription for a different 30 day trial
- Note that you can actually mix Business Premium Trial and Enterprise E3 Trial
- In the steps below, I am adding an Business Premium Trial

To add your new subscription, click on -
Billing - Subscriptions -












Add Subscriptions -






Under the Purchase Services - Scroll down to - Small Business Suite - Office 365 Business Premium
- Start Free Trial










Under Checkout - Confirm your order - Click 'Try Now'












Continue -

Assign your new licences to your existing users and you will extend the subscription by 30 days.

------------------------------------------------------------------------------------------

At the end of your third 30 day trial (Business Premium) - Extend your trial
How to extend your Office 365 Trial - Link

-------------------------------------------------------------------------------------------

In my testing I have confirmed that even though the Business Premium trial licenses are Exchange Plan 1 (against E3 and E5 trials being Exchange Plan 2), I had no issues with my Hybrid environment. You will however lose Exchange Plan 2 features when switching to Business Premium (eDiscovery, Litigation Hold etc), so ensure you do the Exchange Plan 2 testing before switching to the Business Premium trial licenses.

-------------------------------------------------------------------------------------------

Extra info -
Here are the direct links to all the available Office 365 Trials

Office 365 Enterprise E3 Trial - Link
Office 365 Enterprise E5 Trial - Link
Office 365 Business Premium Trial - Link

-------------------------------------------------------------------------------------------

Update - 15 May 2017 - Now extended to cover my sixth month
My fifth month of using the Office 365 trials with extensions has now finished. I have now confirmed I can extend my third trial to give me a full 180 day trial.

As the third trial was for an E5 license, I can extend the trial as before.

Under my Subscriptions you can see that the E5 trial has expired and is now in Reduced Functionality mode -










To extend the trial, I click on Billing - Purchase Services
Select the appropriate service (E5), Extend trial.












Select - Next







Select your credit card (no payment will be charged)

Extend trial -

Your trial will now be extended.






The Purchase Services page will update to show that the trial has been extended with a new expiry date.











-------------------------------------------------------------------------------------------

Congratulations !!!
You have now extended your Office 365 trial for the full 180 days.

-------------------------------------------------------------------------------------------

Basic PowerShell Tutorials
01. How to configure your desktop PC for Office 365 Administration - Link
02. How to connect to Office 365 via PowerShell - Link
03. How to create basic PowerShell scripts - Link
04. How to create basic PowerShell scripts with Export-CSV - Link
05. How to create basic PowerShell scripts with Import-CSV - Link

Series Tutorials -
How to manage Enterprise environments - Part 1 - Filtering queries - Link
How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

Tips and Tricks
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link

--------------------------------------------------------------------------------------------

How to update user UPNs to match the user's email address



Office 365 migration pre-requisites -
One of the many pre-requisites for Office 365 email migrations, is matching the user's User Princial Name (UPN) to their email address. The UPN / email address is what Office 365 uses to authenticate and is what the SIP address is set to, so it is very important to get this right to ensure a smooth experience for the end client during a migration, especially in a hybrid migration scenario.

Many Exchange environments, especially Enterprise environments, have mismatched UPNs and primary SMTP email addresses. This may be due to many different reasons, for example a company may use the payroll ID for login (UPN), which is different to the user's email address. Plus many environments have inherited an 'old school' Active Directory structure with a local domain name like .internal or .local - which was very common five to ten years ago.

Whatever the reason, it is important to update the UPN to match the user's email address as part of the migration. During a hybrid migration, you will most likely be migrating batches of users, and as this is over a period of time, it is important that you only target and update the users that are migrating at that time. Many Enterprise environments may have the user's UPN tied to a business application (for example Mobile Iron), and if care is not taken, changing the UPN can cause disruption to the end client.

To make this process as painless as possible, I have created two different scripts to update bulk user's UPN to match their email address,
- one via targeting members of a group.
- one via targeting members of an Active Directory Organizational Unit.

To enable rollback if needed, I have also created two different scripts to run before you update the UPNs. These scripts document and export the current configuration of the user's UPN and email address, for either the members of a group or the members of an OU. Note the group type must be either an Exchange DL or a mail enabled security group.


Known Issue - Getting the UPN report of members of a security group that is not email enabled.
If you want to run the script to get the UPNs of a security group, you will need to convert the group to a mail enabled security group - Link
Step 1 - In Active Directory - Change the group type to Universal

Step 2 - In EMS - run the following cmdlet - Enable-DistributionGroup "SecurityGroupName"
Once converted, the script will be able to export the user details and UPNs of that group.

Note - It is HIGHLY RECOMMENDED that you run the Get-UPN scripts to have a record of the old UPN if they need to be rolled back.

==========================================================

Pre-requisites -
In preparation of running these scripts, please ensure you have prepared the computer you are running them on.

The 'Get' scripts use the Exchange Management Shell for exporting the current config.
- Run these scripts on a management computer with the Exchange Tools installed

The bulk 'Update' scripts use Active Directory PowerShell to update the UPN.
- Run these scripts on a management computer with the RSAT tools installed.

Next, decide on how you plan to segment and update your user's UPN.
This tutorial and the related scripts refer to segmenting and updating the UPNs via targeting either members of an Active Directory Organizational Unit, or members of a Group.

==========================================================

Reviewing the current configuration -

First you need to determine which users need their UPN updated.
In the examples below, you can see that in Active Directory Users and Computers that I have multiple users with their UPN (User Logon Name) - not matching the E-Mail Address (PrimarySMTPAddress).
Note that I have added the User Logon Name and Email Address column in my view in Active Directory Users and Computers.


This can also be viewed by reviewing the properties of the local AD user -

Local AD user properties -
Email Address - User01@teamterry365.com
User logon (UPN) - asdsdgesd@internal.teamterry365.com
User Logon - internal\user01




To get a record of the current configuration of your target users, run one of the following scripts which best suits the way you are targeting your users.

Script 1 - Get-UPN-SMTP-GroupMember.ps1 - targets users in an Active Directory Group
or
Script 2 - Get-UPN-SMTP-OU.ps1 - targets users in an Active Directory Organizational Unit

======================================================

Preparation for Running the 'Get' scripts and creating the pre-update report

Edit log path if needed
Edit both scripts if needed to point to your preferred log path. By default, both scripts will generate the csv output files to the location c:\reports.

Update the variable - $logpath = "c:\reports" - if you need to output to a different file location.
Note that the script will fail if the location - c:\reports - does not exist.

Preparation for running the Get scripts -
As both of the 'Get' scripts use EMS - Exchange Management Shell, you will need to run them from a Management server or workstation with the Exchange Tools installed, or an appropriate Exchange server.

Note that both scripts will prompt you for input - either to input the OU or the name of the Group.


Have the following information ready -

Targeting the group - The name of the group being targeted
This is in the Active Directory properties of the DL - as below
Copy and paste the Group Name to notepad in preparation for the UPN update.
Save the notepad file for when you actually update the UPN.




















Targeting the OU - The Distinguished Name of the OU being targeted -
The Distinguished Name of the OU can be found in the Attribute Editor tab of the properties of the OU. To see the Attribute Editor tab, you must first enable the 'Advanced Features' - in the View section of Active Directory Users and Computers.

















Once this is enabled, select the OU you are targeting, right click and select properties.
Select the 'Attribute Editor' tab.
Select the 'distinguishedName' property field.
Double click that field.































When you double click that field, the String Attribute Editor dialog box will appear.
You can then copy and paste the DN to notepad in preparation for the UPN update.
Save the notepad file for when you actually update the UPN.










============================================================

Running the 'Get' scripts -

Reminder - 
As both of the 'Get' scripts use EMS - Exchange Management Shell, you will need to run them from a Management server or workstation with the Exchange Tools installed, or an appropriate Exchange server.

Running the OU script - Get-UPN-SMTP-OU.ps1-
When prompted for the 'OrganizationalUnit' - copy and paste the value from notepad that you got and saved earlier.
No quotation marks are needed, even if you have a space in the names -










Running the Group script - Get-UPN-SMTP-GroupMember.ps1
When prompted for the 'GroupName' - copy and paste the value from notepad that you got earlier








Once the scripts have successfully run, you will have your reports in the log path you stipulated - by default - c:\reports

============================================================

Reviewing the csv files.
Keep the csv file for reference if you need to roll back the user's UPN for any reason.
The images below have been highlighted to show the mismatched UPNs.

Results from - Get-UPN-SMTP-GroupMember.ps1
- The report file name will be - Users-UPNs-Group.csv
Note that user01 has a different UserPrincipalName to it's PrimarySmtpAddress.







Results from - Get-UPN-SMTP-OU.ps1
- The report file name will be - Users-UPNs-OU.csv
Note that four users have a different UserPrincipalName to their PrimarySmtpAddress.

==============================================================

Preparation for running the scripts to update the user's UPN.
Once you have captured the original UPN configuration, you can start preparing to update the UPNs to match the email address.

The update scripts use Active Directory PowerShell, so ensure you are running the scripts from a computer that has RSAT installed. The scripts will automatically import the Active Directory module so you can actually run the script from the standard PowerShell window or PowerShell ISE.

Open the notepad files you created earlier so that you can copy and paste the Group Name or the Distinguished Name of the OU when prompted.

===============================================================

Running the Update scripts -
Once you are ready, run the appropriate script to update the UPN.

Running the OU Update script - UpdateUPNviaOU.ps1

When prompted for the 'OrganizationalUnit' - copy and paste the value from notepad that you got earlier.








Running the Group Update script - UpdateUPNviaGroup.ps1
When prompted for the 'GroupName' - copy and paste the value from notepad that you got earlier.








Results - 
The OU view shows all users that were previously mismatched now have a UPN that matches their email address.


















For the testing of the script for the Group, I reset user01 and user04 to mismatched UPNs and then ran the Update script for groups.
This script successfully updated user01 and user04 to having matched UPN.
















Congratulations -
You have now updated your UPNs to match the user's email address.

===============================================================

Acknowledgements -
Special thanks to Simon Payne for assistance with the script targeting the Group -

===============================================================

Related Tutorials and Articles

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Office 365 Migrations
How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link

Daily Administration and Reports 
How to create a basic document of the Exchange Online environment - Link
How to document the local Exchange Organization for As Built documents and auditing - Link
PowerShell scripts to report on Mailbox permissions in Exchange Online and Exchange On-Prem - Link

Enterprise Management
- How to manage Enterprise environments - Part 1 - Filtering queries - Link
- How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
- How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

PowerShell
- How to create basic PowerShell scripts - Link
- How to create basic PowerShell scripts with Export-CSV - Link
- How to create basic PowerShell scripts with Import-CSV - Link
- PowerShell modules and resources for Office 365 - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to use Chrome browser for concurrent multiple connections to different Office 365 tenancies- Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link
PowerShell modules and resources for Office 365 - Link


How to use Chrome browser for concurrent multiple connections to different Office 365 tenancies.





   All hail the King of Browsers !






The vast majority of Office 365 admins I know use Internet Explorer in InPrivate mode and Chrome browser in Incognito mode to be able to effectively administer multiple tenants or multiple user logins when working in the Office 365 portal. This is a valid workaround that works *most* of the time, but sometimes browser issues cause you to 'reconnect' to a different user or tenancy, which can cause much bigger issues if you start administering the incorrect tenant.

Chrome has an awesome feature that many Office 365 Administrators are not aware of. In fact, I was only made aware of this recently by someone who only just found out about it himself.

This feature allows a device user to create separate Chrome profiles for multiple users - Link.
The huge benefit of this feature to Office 365 administrators is the ability to have multiple Chrome windows open at the same time, with each window being logged into a different tenancy - all while in the standard browser not using incognito mode.

In the image below you can see that I have logged successfully into two different tenancies.


Utilising this great feature really makes administering multiple tenancies so much easier.

==================================================================

Configuring Chrome for multiple profiles is really easy.
First make sure you have installed the latest version of Chrome.
Once installed, click on the user icon at the top of the browser window -
Then select - Manage people



A new window will appear.
Select - Add Person































In the Add Person screen - Enter a name for the profile and select an icon if you like.
For this profile, I have entered the name as the domain name of the tenancy for ease of use.
- Create a desktop shortcut for this user - keep selected if you want a desktop shortcut created.
Save






























Chrome will now open a new window with profile name in the bar.
As I have selected - Create a desktop shortcut for this user - it has also done that.
It has also created a desktop shortcut for the default user - Person 1


















As I would like to create another profile for my second tenancy, I need to repeat the process.
As I already have the teamterry365 Chrome profile loaded, I can simply click on the profile name to start the process again.
I then select - Manage people - to continue profile management to create the new profile.





















Repeat the process -

Select Add Person -






























Enter the profile name.
I am once again using the domain name for ease of use.






























Chrome has once again created the shortcut as requested, complete with icon.
I now have the two Chrome browser windows open, and I will show you the process for logging successfully into two separate tenancies.


















Login to the portal with the credentials for the two separate tenancies


















I can even take advantage of saving my password and selecting 'Stay Signed In'

















As you can see, I have successfully logged into the two separate tenancies.

















If you try to do this with Internet Explorer, the second browser session will automatically log in with the credentials of the first browser. Using IE with InPrivate browsing alleviates this issue most times, but I have had many issues with IE logging in with the credentials of the first session. I find Chrome is the much better solution.

An extra benefit of Chrome profiles is the ability to have different bookmarks in each profile.


















You can take this a step further and create bookmarks to take you directly to the Admin Portal of your choice, and depending on your session connectivity, in most circumstances you will log straight in.

Office 365 Admin Portal - https://portal.office.com/adminportal
Exchange Admin Center - https://outlook.office365.com/ecp
SharePoint Online Admin Center - https://TENANT-NAME-admin.sharepoint.com
Security and Compliance Center - https://protection.office.com
Azure Admin Portal - https://portal.azure.com
Intune Admin Portal - https://manage.microsoft.com/
OneDrive for Business Admin Portal - https://admin.onedrive.com

================================================================

Congratulations - You have you now configured Chrome browser for concurrent multiple connections to different Office 365 tenancies !

================================================================

While your here, check out my other tutorials -

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Office 365 Migrations
How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link

All Hybrid Administration Tutorials
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link

All Modern Authentication and MFA (Multi-Factor Authentication) Tutorials
- All my MFA Tutorials on one page - Link
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

Security
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link

Local Exchange Organization Administration Scripts and Tutorials
How to document the local Exchange Organization for As Built documents and auditing - Link

Enterprise Management
How to manage Enterprise environments - Part 1 - Filtering queries - Link
How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

PowerShell
How to create basic PowerShell scripts - Link
How to create basic PowerShell scripts with Export-CSV - Link
How to create basic PowerShell scripts with Import-CSV - Link
PowerShell modules and resources for Office 365 - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link
PowerShell modules and resources for Office 365 - Link

How to configure Exchange 2013 - 2016 for Office 365 Hybrid


Most of the tutorials I have seen over the years for Office 365 migrations / hybrid configuration etc have never really gone into the little details that make a huge difference to your migration experience. Over the Christmas break I decided to create a new hybrid test environments from scratch and I decided it was the perfect opportunity to fully document the detailed steps to prepare for Office 365 Hybrid.

 ==========================================================

Pre-Migration Preparation - Exchange Local

Windows Updates on Exchange and Active Directory servers and clients

Check your version of Exchange meets the minimum for the Hybrid Connection Wizard -
As at 7 October, the following are minimum versions of Exchange 2013 and 2016.
- Exchange 2013 - CU7
- Exchange 2016 - RTM

==========================================================

Pre-Migration Preparation - Local Active Directory

Review existing Active Directory Group Policies as cleaning Active Directory may break these.
If you will be creating new OU structures and moving users to the new OU structure, this may break Group Policies that are applied to these users.

Clean Active Directory to ensure all the Exchange Objects that you want synced to Office 365 are in a single AD Organisational Unit, or under that OU.
Understand that DirSync will target the OU you select and syncronise all objects under there. If you have not cleaned up AD, the DirSync process will synchronise everything, including
- Local AD System Accounts
- Local AD Administrator Accounts
- Deprovisioned Users
- Groups that you may want to keep as Local AD only
- Anything else that you may want to keep as Local AD only
--- Move anything not needing to be synced to Office 365 to separate OUs that will not be synced.

My Local Active Directory before the clean-up -
Default Active Directory with new users created in the Users OU by default.
Creation of a new Exchange OU structure -
I have created a new OU named Exchange at the AD Domain root.
I have then created the following OU structure underneath the Exchange OU.
- Contacts - (External email contacts to appear in the GAL)
- Distribution Groups - (Email distribution groups)
- Rooms - (Room mailboxes)
- Security Groups - (Email enabled security groups)
- Shared Mailboxes - (Shared Mailboxes)
- Users - (User mailboxes)

I then moved all the Exchange objects to their associated OU,
Including Exchange Dynamic DLs, Email enabled security groups, external contacts, rooms and shared mailboxes.
In summary, if you want it synched to Office 365, it goes under the Exchange OU.

*** Important ***
You will need to check how the membership of your Dynamic DLs are configured.
Example, the Dynamic DL I created, was configured to look at the Users OU for membership.
If I do not update the membership rule, the DL will break once users are moved to the new OU structure.
To update how the Dynamic DL is populated, you need to edit the properties of the Dynamic DL via Exchange On-premises.

See below for the new Exchange OU structure that I created -























Local Active Directory  Exchange objects have now been organised and all objects to be synched to Office 365 are under the Exchange OU.

Update Active Directory Group Policies if needed.
If you have created new OU structure and moved users to that OU structure, this may break Group Policies that are applied to these users. Review the Group Policies and resolve any issues.

===========================================================

Local Active Directory preparation for Office 365 login
Office 365 logins are usually the email address. Many small businesses have a mismatch between user's email addresses, their UPN and their local AD login. To resolve this conflict, perform the following steps in preparation for users logging in to Office 365 with their email address after migration.


Edit OWA login format to match the email - Link

Add the external domain to allow for login with UPN with external domain name
Add the external domain name to Active Directory Domains and Trusts
- Active Directory Domains and Trusts - Right click - Properties

















Add the domain name - Add - Apply - OK


This will update the login options for users in local AD.

User login format will now have two options in the AD logon name drop down.

Set ALL user logins to be the UPN (which will match the email address) - Link
Note the Active Directory path which will be needed in the final script
(work backwards as per example).



Note that this script targets only users in the specific OU and sub-OUs.
This means that after you edit the script to use a SearchBase, only user objects below that OU will be affected.

It is critical to ensure you are not accidentally targeting service accounts, administrator etc, so ensure that they are in other OUs that will NOT be affected.

Example script - edit the red sections to match your AD structure
Get-ADUser -Filter * -SearchBase 'ou=Users,ou=MyBusiness,dc=company,dc=local' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@domain.com"}


My real world script to match my Active Directory -
Get-ADUser -Filter * -SearchBase 'ou=User Mailboxes,ou=Exchange,dc=internal,dc=teamterry365,dc=com' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@teamterry365.com"}

Account logon name once updated with the script.

Check and Confirm ALL local Exchange objects that are being migrated have the external email address applied to the User Logon Name field.

==========================================================

Exchange Local Configuration -

If you have a non-routable domain name, split brain DNS is most likely already configured. To prepare for the Office 365 migration, please ensure you have DNS host records (A record) pointing to the IP address of the appropriate Exchange server(s).
You will need an A record for both autodiscover and mail host records.

Configure Split Brain DNS if using a non-routable domain name (company.local) Link
Internal DNS -
ServerName - Forward Lookup Zones - New zone -
Add two zones
Host - autodiscover.domain.com - Points to the IP address of the Exchange server
Host - mail.domain.com - Points to the IP address of the Exchange server










Ensure your Exchange SSL cert is current

Ensure your Exchange URLs are pointing to the external domain - Link
All Exchange internal and external URLs will be pointing to - mail.teamterry365.com -
Use the scripts below and update with your domain URL

Outlook Anywhere
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.teamterry365.com -InternalHostname mail.teamterry365.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

MAPI
Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl https://mail.teamterry365.com/mapi -InternalUrl https://mail.teamterry365.com/mapi

Outlook Web App
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.teamterry365.com/owa -InternalUrl https://mail.teamterry365.com/owa

Exchange Control Panel
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.teamterry365.com/ecp -InternalUrl https://mail.teamterry365.com/ecp

Exchange ActiveSync
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https:/mail.teamterry365.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.teamterry365.com/Microsoft-Server-ActiveSync

Exchange Web Services
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.teamterry365.com/EWS/Exchange.asmx -InternalUrl https://mail.teamterry365.com/EWS/Exchange.asmx

Offline Address Book
Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.teamterry365.com/OAB -InternalUrl https://mail.teamterry365.com/OAB

AutoDiscover
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.teamterry365.com/Autodiscover/Autodiscover.xml

PowerShell
Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl https://mail.teamterry365.com/PowerShell -InternalUrl https://mail.teamterry365.com/PowerShell


=========================================================

Office 365 Tenant pre-migration preparation - 
Tenant - 365adminblog.onmicrosoft.com

Exchange Online -
Purchase licenses

Verify you own the domain
- Office 365 Portal - Setup - Domains - Add domain - teamterry365.com

Edit your DNS txt record for domain verification

DO NOT edit any further DNS records at this time - Save and Close

Wait 15 minutes -

Continue with the Office 365 domain wizard,
Setup - Domains - Select the new domain you added - Continue Setup

I'll add the DNS records myself - Next

Scroll to the bottom of the page - Verify

Verify will advise that records are missing -





Scroll to the bottom of the page - tick the box 'Skip this step' -
Click - 'Skip

You will receive the following advice - Finish

Your domain is now verified and ready for Hybrid configuration

===========================================================

Exchange On-premises pre-migration preparation - 

Using the Hybrid Connection Wizard to create Exchange Online Objects 


Before downloading the HCW - download and install .Net 4.6.2 - Link

Exchange On-premises - Install and configure Hybrid Connection Wizard
Consider what server you would like Azure AD Connect installed on. If possible, install Azure AD Connect on a dedicated server.

On a local domain joined Server - Internet Explorer - Log into the Office 365 Portal -
Setup - Data Migration









Migration Page - Select your data service - Exchange











You will be prompted to download the application - The machine must be domain joined.
Install - (Note that you must be using Internet Explorer, other browsers may fail to run the install).

Note, if the Hybrid Connection Wizard doesn't start to download automatically
Open Internet Explorer - Copy this link -

On the pop-up - Click Install - Run - Next -

Hybrid Connection Wizard starts - Next - On-premises Exchange Server Organization -
By default it will pick the optimal server for the migration. - Next

Credentials -
Use current credentials for local Exchange (if appropriate)

Sign in for Exchange Online -
Enter admin credentials for Office 365 -
Next

The Hybrid Configuration Wizard gather information -
Once completed - click Next


Hybrid Features page - Select Minimal Hybrid Configuration - Next -




















Ready for update - Update
(This updates your on-premises Exchange environment and cannot be stopped and rolled back)















This process will create connectors and configure Exchange for Hybrid connectivity with Office 365.

==============================================================

This process should download and install Azure AD Connect automatically, but in reality I have had mixed results.

If Azure AD Connect did not install you will be advised that you can install Azure AD Connect later.

If you click on - learn more - it takes you to the download site -


You can close the Office 365 Hybrid Configuration wizard and start the install of Azure AD Connect.


Azure AD Connect installation - 

Azure AD Connect Wizard
Agree to the terms and select Continue

In this instance I am going to select Express Settings (read the summary of actions performed).


























Note - You can you Express Settings if your internal domain is routable. In this instance, the internal domain is - internal.teamterry365.com - and this is an Internet routable domain.

============================================================

If your internal domain is non-routable, you will need to choose Customize. An example of a non-routable domain would be - company.local - see image below






=============================================================

As this domain is Internet routable, I will continue with Express Settings -

Enter the Office 365 credentials - Next













Enter your local Active Directory credentials













As this is a routable domain, the Azure AD sign-in configuration will show the domain is verified.
- Click - Next



























The default configuration will start the synchronization after configuration is complete.
If you need Exchange Hybrid deployment, select that box and then click 'Install'.
In this tutorial, I will be selecting - Exchange Hybrid deployment -


























The wizard will continue.

Once the wizard is complete, you will see a summary.


























============================================================

Now that Hybrid has been enabled and configured with default settings, we need to update those settings to target our specific OU.

To see what objects have been targeted for sync in the initial configuration, log into the Office 365 portal and select - Users - Active Users. As you can see, the default configuration has selected all objects to be synced, including Health Mailboxes.













To remove them properly, we will reconfigure Azure AD Connect to target the specific OU in local Active Directory that we want.

Re-configuring Azure AD Connect -
Log on to the server that has Azure AD Connect installed.
Select the application - Azure AD Connect






Azure AD Connect will load and advise that the sync service scheduler is suspended.
Select - Configure -



























Under - Additional Tasks - Select - Customize Synchronization options - Next



















Enter the Office 365 credentials - Next












As our local Active Directory is already connected - click next (do not click Add Directory)















Now we can select the OU we want to target -
Select - Sync selected domains and OUs - then expand the domain and select the OU
In the image below, I have expanded the domain - internal.teamterry365.com
I have then selected ONLY the OU named - Exchange -
I have expanded the Exchange OU and confirmed all sub-OUs are selected. - Next
















Next - Select your optional features.
Note that Azure AD constantly updates these features, so choose which suits your Organization the best. I have selected the default for this tutorial. - Next














Azure AD Connect configuration will complete after you click - Configure
Click Configure.













The configuration will commence and take some time depending on the size of your Organization.

Once completed, review the results and click Exit.














=========================================================

Office 365 objects after sync

Azure AD Connect should update your synchronized objects automatically, but if you would like to manually force a sync on Azure AD Connect, perform the following - Link

On the server where Azure AD Connect is installed - PowerShell
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

As you can see, Azure AD Connect has now only synchronized objects in the targeted OU.
Note that as no licenses have been assigned at this stage, and no mailboxes have been moved either, all the user, shared and resource / room mailboxes are created as unlicensed users in the Office 365 Admin portal.

- Admin Portal Objects -

Users
The users selected in Blue have been created in Office 365 - Sync Type - In Cloud
The users selected in Red have been synced with local Active Directory - Sync Type - Synced with...

















Contacts
Select Users - Contacts - to show the contacts that have been synced via DirSync

Groups -
 - The Distribution group has been synched correctly
- Note - Dynamic Distribution groups created in local Active Directory will need to be recreated.


- Office 365 - Exchange Admin Center Objects -

Mailboxes in Office 365 -
Only mailboxes created in Office 365 will show in the Exchange Online mailboxes view












Contacts in Office 365 -
Office contacts have been created in Office 365 that sync with on-premises user mailboxes, rooms and shared mailboxes. External contacts created in local Exchange will also show here.

Groups in Office 365
Only the Distribution Group created in local Exchange has been created in Office 365.
Note that mail enabled security groups will also be created in Office 365 via the sync.
Note that Dynamic Distribution Groups are NOT synced successfully and will need to be recreated in Office 365.













Resources and Shared -
Only Office 365 created resource and shared mailboxes will appear in the Office 365 EAC.

==============================================================

Congratulations -
You have successfully configured your Exchange 2013 - 2016 Organization for Hybrid.

==============================================================

Related Tutorials -

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to get a 180 day trial tenant in Office 365 for testing - Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link