Office 365 licensing (using PowerShell)

Below are some very simple powershell code to handle licensing in Office 365:

# Powershell
# Requirement: Connected to msol-service

# Get your SKU, extract your AccountSkuId (tenantname:SKU)

# Remove license VISIOCLIENT for all users
$all       = get-msoluser -all
$sku       = "mytenant:VISIONCLIENT"
$all | Where-Object {($_.licenses).AccountSkuId -match $sku } | Set-MsolUserLicense -RemoveLicenses $sku

$all       = get-msoluser -all
$sku       = "mytenant:VISIONCLIENT"
$all | Set-MsolUserLicense -AddLicenses $sku

# Add PARTIAL SKU (SKU: F1, disable FLOW and Teams)
$SKU       = "mytenant:DESKLESSPACK"
$options   = New-MsolLicenseOptions -AccountSkuId mytenant:DESKLESSPACK -DisabledPlans FLOW_O365_S1,TEAMS1
$all | Set-MsolUserLicense -AddLicenses $SKU -LicenseOptions $options

RSS feeds on websites ?

RSS feeds

RSS (Rich Site Summary) is a web feed that allows users to access update in a standardized way. It's a very common way of getting updates from multiple web pages into a reader to get updates. Most sites have a button for getting the feed URL.

Missing RSS button ?

Many sites do not have a RSS button but are still having a feed on their page. Two very common ways are the /feed and /rss on the website;
You can test the RSS using your web browser to verify the existance of the feed.

Feed create tool

Some sites does not support RSS - however there exists online tools to create a RSS feed from almost any page. Feed Creator from is a simple to use tool.

Connect VPN using Azure MFA NPS extension

Azure MFA have a extension for Microsoft NPS (Network policy server) that can be used to connect on-premise Active Directory to Azure MFA for strong authentication. Today the team that I was working on investigated if this can be used WITHOUT synchronized (hybrid) identities and had a successful result.

The environment and setup

  • Cloud identities only (
  • Local Active Directory with users (
  • NPS server joined to Active Directory
  • NPS extension installed and configured
  • Cloud identity have a license that allows Azure MFA (EMS suite in our case)
  • Cloud user have enrolled and registered for Azure MFA
  • Cloud user have set primary authentication option to either MFA app or Call
    (any option requiring additional input won't work)
Why have a Active Directory with cloud only identities ? 
This is a "fairly" uncommon scenario but happens in large enterprises. They often have a IDM solution managing different identities (same sign on; ID & PWD) for many applications, domains, Azure AD, etc. The Active Directory replaces a internal user directory in the VPN server (or similar).

NPS server & Azure MFA NPS Extension 
The NPS server is a RADIUS server which can be used with any service supporting RADIUS. The Azure MFA NPS extension adds the possibility to do strong authentication using the NPS environment. This creates a good solution for strong authentication using Azure MFA.

The NPS Extension can also be configured to match on another attribute than UPN using NPS extension advanced options.

What happens during logon ?

  1. User / application connects to the VPN gateway
  2. VPN gateway contacts the RADIUS server for authentication
  3. NPS server authenticates the user (ID & PWD) and continues if successful
  4. Fetches the UPN of the authenticated account
  5. Hands off the UPN to Azure MFA server for strong authentication
  6. Azure MFA check primary authentication method and challenges the user
  7. User responds to challenge (in Authenticator App or answers the call + #)
  8. If strong authentication is successful the NPS extension hands off OK to NPS server
  9. NPS server respons back to VPN gateway with successful authentication
  10. VPN gateway connects user to the network


Facebook at Work provisioning using "built-in" Azure SCIM

Facebook at Work ( is the business variant of Facebook. This gives enterprises the possibility to own, manage and use Facebook in a Enterprise context. As Facebook at Work is born in the cloud it comes with modern API's for user manangement and also exists in the Microsoft Azure Marketplace (link).

When integrating Facebook at Work into Azure you get two pre-built options from Microsoft;

  • Single Sing On (using Azure AD)
  • User Provisioning (using a pre-built Azure AD SCIM connector to facebook)

Configure Single Sign On

Below is a short guide for setting up Single Sign On between Facebook and Azure AD:

  1. Create a Azure AD user (with email)
  2. Create a Facebook user with username
    (make this user a global admin)
  3. Logon to Facebook at Work and Azure with your newly created users
    (there will be a match check when setting up
  4. Logon to your Facebook at Work instance
    1. Community Center > Settings
    2. Note down information under SAML configuration
      • Audience URL
      • Recipient URL
      • ACS URL
  5. Open Azure AD
    1. Add Azure application: Facebook  at Work
    2. Assign the Azure as a user to Facebook at Work app
    3. Setup SSO
      1. Sign on URL = Tenant URL for Facebook (
      2. Identifier = Audience URL (from above)
      3. Reply URL = ACS URL (from above)
      4. Certificate; create a new 3 year certificate
      5. Store information from Azuire
        • Download the certificate file
        • Note down the SAML SSO URL
        • Note down the SAML Issure URI
  6. Back to the Facebook at Work
    1. Community > Settings
    2. SSO settings
      1. Change to SSO logon: SSO Only
      2. Expire setting: 3 weeks
      3. Certificate = Open the cert-file downloaded and paste the text
      4. SAML URL = SAML SSO URL from Azure
      5. SAML Issuer URI = SAML Issuer URI from Azure
      6. Click "TEST SSO"
        SSO should now work and be successful. Save settings. Remember that now must all authentication go through the Azure AD (not possible with multiple authentication providers in Facebook at Work at the moment). 
  7. Back to Azure AD (finish the settings)
    1. Add a notification email (for errors on certificate)

SCIM provisioning

It's also easy to setup SCIM provisioning to Facebook. 
  1. Logon to Facebook at Work
    1. Community > Settings
      1. Note down Access token
      2. Note down SCIM URL
      3. Note down Community ID
  2. Azure AD > Applications > Facebook at Work > Configure
    1. Setup provisioning
      1. User Security Token = Facebook Access token
      2. Facebook at Work Tenant URL = SCIM URL
    2. Test the connection
    3. Setup notification email (for errors on provisioning)

Username vs. E-mail address

Facebook as a cloud service provider expects that the users logon name and e-mail address are the same (at the moment). In a standard configuration Azure will create users with [UserPrincipalName] and expect these to work. You can suppressEmail (however not recommended as the service uses e-mail for driving engagement and remind users to check posts in Facebook AtWork).

E-mail invitation 

When new users are provisioned by Azure (using the SCIM integration) the service will send a invite e-mail to the newly provisioned user. This is to quickly get the user onboarded and active on the Facebook AtWork social platform.

Prevent e-mail invitation (and e-mail communication): Facebook at Work have a property suppressEmail that will stop Facebook from sending e-mails to the user. 


This is possible to configure using the Azure provisioning engine. The settings are changed in the Azure > Applications > Facebook AtWork > Attributes > Provisioning:

To add the "SuppressEmail" click on "add attribute mapping", choose "suppressEmail" (in the Facebook AtWork attribute) and then you have two options.

  • Suppress all email communications for all users (using Constant = true)
  • Suppress email communications for e-mail less users - no mail attribute in Azure AD(and allow for users with mail)

    This will check the mail attribute on the users in Azure AD, if present set suppressEmail to "false" and if blank set it to "true". My little piece of magic! 

Office 365 Clutter stuff

What is Clutter ?
Clutter is an email filtering option available to Office 365 customers.  It is similar to an anti-spam filter as it moves less important email (based on your reading habits) into a 'Clutter' folder where they can be ignored or reviewed later.  Most of the mail going into the folder should be bulk mail (advertisements) and messages from mailing lists.  However, you will want to periodically check the Clutter folder as it may move legitimate email into this folder.

When is Clutter applied ? 
Messages are handled in the following way in Exchange online:

  1. Message are scanned by Exchange online protection (EOP)
  2. Message rules in the tennant/Exchange online
  3. If the mail gets to the user mailbox
    1. Junk e-mail filtering
    2. Mailbox rules (if a message is handled by a rule clutter processing will not happen)
    3. Clutter processing

Disable Clutter (as a user)
It's possible to disable Clutter per user. Just follow the guide below:

  1. Log into OWA
  2. Click on the Gear > Options > Automatic Processing > Clutter
  3. Select Don't separate items identified as Clutter 
  4. Click Save.

Disable Clutter for the company (using a transport rule) ?
Create a new transport rule and use the following header/vaule to bypass Clutter for that e-mail:

  • HeaderName X-MS-Exchange-Organization-BypassClutter
  • Value true


Remove "orphaned" meetings in RoomMailboxes

When users are leaving the company there should be a "phase out" routine to be followed with different IT tasks to be perfomed (below is just an example);
  • Log and revoke system access and permissions
  • Hand over data to manager and/or other owners
  • Delete all other data (mail, home folders, etc)
  • Cancel meetings (and/or transfer them to other responsible organizers)
However sometimes users that have left the company haven't canceled meetings and you need to remove the bookings from the RoomMailboxes (or EquipmentMailboxes) in Exchange.
Powershell to the rescure:
# Define email to search for
# Requirements
# Connection to Exchange (online) using Powershell
# Administrator account with "Mailbox Import Export" role in Exchange (online)

# Task flow
# Lookup primary email address for user
# Search meetingrooms for meetings (if needed)
# Delete meetings from meetingrooms (backup if needed)

#Search in Powershell (output in console)                               
get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery ' AND kind:meetings' -EstimateResultOnly -Verbose | ft identity,success,resultitemscount

#Search in Powershell (output to targetmailbox)                               
get-mailbox -recipienttype roommailbox | foreach { search-Mailbox $_.alias -SearchQuery ' AND kind:meetings' -Verbose -TargetMailbox Administrator -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full }

get-mailbox -recipienttype roommailbox | search-Mailbox  -SearchQuery ' AND kind:meetings' -DeleteContent -Force -Verbose

#Delete (with moving messages) - enter correct targetmailbox and folder
get-mailbox -recipienttype roommailbox  |  foreach { search-Mailbox $_.alias -SearchQuery ' AND kind:meetings' -DeleteContent -Force -Verbose -TargetMailbox Administrator -TargetFolder "BackupFolder" -loglevel Full }

Find erroneous AD Connect sync object (cannot sync object)

Today I was faced with an error in ADConnect. It couldn't sync one of the contact objects from on premise AD to Azure AD (Office 365). The error was on the AADConnect log:

  • Error in Connector operations
    • Status:completed-export-error
  • In error log (on the object)
    • Error:
      Object TypeMismatch
    • Connected data source error code:
    • Detailed data source error:
      A object with same proxyaddress does already exist in Azure Active Directory, but have a objecttype that is not compatible (objectclasses: contact, group or user). Solve this issie in the local catalog services or in Azure Active Directory, and try again. 
After a lot of trouble shooting I found that it was a guest account in Azure AD that caused the error. A guest account is normally created when a user is inviting/sharing a Sharepoint site or document with a external user. These users show up as

TO actually find objects with a specific email address in Azure AD and/or Exchange online you can do the following with PowerShell:
  1. Start PowerShell
  2. Connect to connect-msolservice
  3. Connect to Exchange online
  4. Run the script below (change the mail address)
# Define email to search for
$mail = ""

# Do the different searches (requires connect-msolservice)
Get-MsolGroup -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -All | where {$_.ProxyAddresses -match $mail } 
Get-Msoluser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match $mail } 
Get-MsolContact -All | where {$_.EmailAddress -match $mail } 

# Do the different searches (requires connection to Exchange online)
Get-Group -ResultSize Unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-DistributionGroup | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-Mailbox -SoftDeletedMailbox | where {$_.EmailAddresses -match $mail } 
Get-MailUser -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 
Get-User -ResultSize unlimited | where {$_.UserPrincipalName -match $mail } 
Get-User -ResultSize unlimited | where {$_.WindowsEmailAddress -match $mail } 
Get-MailContact -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-Recipient -ResultSize Unlimited | where {$_.EmailAddresses -match $mail } 
Get-MailPublicFolder -ResultSize unlimited | where {$_.EmailAddresses -match $mail } 

Office 365 - convert a deleted mailbox to a inactive mailbox

In Office 365 you can convert mailboxes for old employees to inactive mailboxes. This will preserver the mailbox in Office 365 (and can later be connected and/or searched with eDiscovery).
  • Put an active mailbox on LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $true
  • Remove LitigationHold
    Set-Mailbox rikardst -LitigationHoldEnabled $false
  • Convert a deleted mailbox to inactive (put it on LitigationHold)
    • First assign a license to the user
    • Then put it on LitigationHold
      Set-Mailbox rikardst -LitigationHoldEnabled $true
    • Wait 60 minutes
    • Remove license
You cannot place LitigationHold on a deleted object (thats why you need to assign a license first).