Watch Sessions from the Microsoft Exchange Confrence 2014

The Microsoft Exchange Conference (MEC) 2014 recently wrapped up.  MEC is the premier global event for Microsoft Exchange and Office 365 professionals to enhance their skills. The MEC sessions will help you understand the future of Exchange for all customers and learn from people who build and maintain the product. MEC allows administrators, IT Pros, and Developers to elevate their career potential and enhance their overall knowledge of Microsoft Exchange. MEC2014 took place March 31-April 2, 2014 in Austin, TX.

MEC2014 delivered the latest content for Office 365 Exchange Online and Exchange on-premises customers. Content is delivered across tracks including: Architecture; Deployment & Migration; eDiscovery and Compliance; Exchange Extensibility; Manageability and Support; Outlook, OWA, and Mobility; and Security and Protection

You can now watch the Keynote and breakout sessions for free on Microsoft Channel 9 web site.

Windows Phone 8.1 Developer Preview Now Available

This morning Microsoft released the Windows Phone 8.1 update to developers.  This introduces a huge set of features including the much anticipated Cortana digital assistant.

Everyone can get access to this update now by following a few simple steps.  Check out the great write-up over at Windows Phone Central that covers the Developer Preview program. 

The update installation happens in 2 steps and takes a while to install.  The more data you have on your phone, the longer the updates take to install.   While waiting for the installation to complete, check out the Windows Phone 8.1 review article at Windows Phone Central. 

Do you already have Windows Phone 8.1 installed?  What do you think?

Office Message Encryption in the Microsoft Government Community Cloud

Microsoft has been rolling out an update to Office 365 tenants that adds Windows Azure Rights Management and Office 365 Message Encryption.  The initial deployment of these technologies were targeted towards customers in the enterprise cloud; referred to as “E” tenants.   Customers in our Government Community Cloud (GCC) environment have not had access to these capabilities until recently.

A co-worker has written up a great blog post that shows how to setup Office 365 Message Encryption in a GCC tenant.   Check it out here.

Office for iPad now available

Today Microsoft announced a new Office suite for iPad.  The applications provide users the ability to view Word, Excel and PowerPoint files for free.   If you have a personal or enterprise Office 365 account you can use the Office suite to edit documents too.

You can download these new Office applications for iPad below:

Word | Excel | PowerPoint

Office 365 End User Adopition Kit

Organizations that choose to deploy Office 365 or any of the individual components are always concerned about deployment, end user adoption, training and support.  Questions I receive from customers usually include:

  • How do we build excitement within the user community about the upcoming deployment?
  • How do I communicate the changes to the users?
  • What tools does Microsoft make available for our help desk employees for supporting Office 365?
  • Do you have a sample project plan for deploying Office 365?

To help organizations accelerate their deployment, Microsoft has created a package called the Office 365 Change Management Guide for the Enterprise.  This guide includes the following great content:

  • Email templates to help generate end user awareness and excitement about the Office 365 deployment.
  • Policy templates that help the organization to build out best practices for using the new capabilities included in Office 365.
  • Launch event and awareness PowerPoint presentations that can be used by the organization to introduce Office 365 to the end users.
  • Posters that can be printed and displayed within the organization to build interest and awareness of Office 365 capabilities.
  • A help desk troubleshooting guide to assist help desk employees support the end users.
  • Net User Satisfaction (NSAT) survey that can help an organization measure internal user satisfaction with their deployment of Office 365.
  • Training document template that can be used to help create standardized internal training offerings.
  • Two Office 365 introduction videos that can be shared with end users to help with awareness of capabilities.
  • An Office 365 rollout and adoption workbook that can be used by the project manager during awareness, pilot, deployment, and run state.

You can download the free Office 365 Change Management Guide for the Enterprise kit here.  I also maintain a curated list of links to important Office 365 documentation and training materials in my resource section on this blog.

Manage Your Office 365 Rollout Using Yammer

I ran across an interesting blog post that I thought I would pass on to my visitors.  

As customers roll out Office 365, they often ask us how they can best use Yammer to manage their deployment. Changing from one IT system to another can be a daunting task, and the potential to create a large degree of disruption and uncertainty throughout the organization underscores the need for change management. Using a community-based approach on your Yammer network, with peer to peer learning, will help your organization adopt new technologies alongside the change.

Read the full post here:

The New Office Online

Today Microsoft has launched Office Online at  Office Online allows you to collaborate for free on documents, spreadsheets, presentations and notes. 


When you click on one of the Office product tiles on the site you will be asked to sign-in with your Microsoft Account and then it will launch you into the application.   Don’t have a Microsoft Account?  No worries, the site will prompt you to create one for free.

All of your documents created using Office Online will be stored in your free 7GB OneDrive account.  OneDrive is your personal storage location in the cloud that provides you a safe and secure place to keep your documents and important files.

If you have used Office Web Apps in the past you will want to return and check out the new Office Online.  If you have never used the Office Web Apps, what are you waiting for?   It is a great free collaboration solution for creating, coauthoring, viewing, and sharing your documents and files!

What are you waiting for?  Get started now!

Exchange Online: Exclusive Management Scopes for eDiscovery

Exchange Online offers organizations a simple interface for performing eDiscovery and legal holds across mailboxes.  By default, the global administrator for the Office 365 tenant has the ability to add users to a Discovery Management admin role which provides them legal hold and mailbox search capabilities across the organization.  These discovery managers can perform eDiscovery and apply legal holds to any content stored within the Exchange Online mailboxes.

Note: to place content on in-place hold the mailbox must have an Exchange Online Plan 2 or an Exchange Online Archiving license assigned.

What happens if an organization needs to have a separation of discovery and management capabilities for groups of mailboxes?  With Exchange it is possible to create exclusive management scopes which only allow people in defined roles attached to these scopes to have the ability to perform discovery or management functions.  In Exchange Online an exclusive management scope allows you to define groups of mailboxes based on AD property filters or OUs.  TechNet defines an exclusive scope as “a special type of explicit management scope that can be associated with management role assignments. Exclusive scopes are designed to enable situations where you have a group of highly valuable objects, such as a CEO mailbox, and you want to tightly control who has access to manage those objects. “ 

An example of where discovery and management separation may need to occur is in a United States county government.   A county government has many departments including public safety and courts.  The county government may want to have one person who can do discovery and legal holds on public safety and courts mailboxes and another person who can perform the same on all other mailboxes.  These two discovery managers must never have the ability to perform searches or place content on legal hold for the other person’s group. 

To get started setting up exclusive management scopes you will need to prepare a local computer with the necessary PowerShell pre-requisites for Exchange Online management.   See my prior blog post on PowerShell for Office 365 for more details.   I highly recommend that you test out exclusive management scopes in a trial Office 365 environment first to ensure that they work as you expect.   If you follow the steps in this article you do so at your own risk.  Changing the configuration of Exchange Online may have unexpected consequences within your environment.

Connecting to Exchange Online via PowerShell can be done using the following 3 commands:

  • $LiveCred = Get-Credential
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session

Now that the connection to Exchange Online is established, it is possible to create new exclusive management scopes.  In this example I am creating 2 management scopes, one for Organization A and another for Organization B.   These scopes are filtered using the Active Directory DisplayName property and the mailbox type (RecipientType / RecipientTypeDetails).    In my demo environment I have added  the text “(ORGA)” or “(ORGB)” to the DisplayName property of user accounts in order to filter them into the correct exclusive management scopes.

  • New-ManagementScope “Organization A Exclusive Scope” -RecipientRestrictionFilter {((RecipientType -eq ‘UserMailbox’) -and (DisplayName -Like “*(ORGA)”)) -or ((RecipientTypeDetails -eq ‘DiscoveryMailbox’) -and (DisplayName -eq ‘Organization A eDiscovery Mailbox’))} -Exclusive –Force
  • New-ManagementScope “Organization B Exclusive Scope” -RecipientRestrictionFilter {((RecipientType -eq ‘UserMailbox’) -and (DisplayName -Like “*(ORGB)”)) -or ((RecipientTypeDetails -eq ‘DiscoveryMailbox’) -and (DisplayName -eq ‘Organization B eDiscovery Mailbox’))} -Exclusive –Force

Note: currently Exchange Online management scopes can only be filtered using the DisplayName property or an Active Directory Organizational Unit (OU).  Using any other Active Directory property will appear to work during the creation of the scope, however, it will cause errors when a discovery manager attempts to perform an eDiscovery query.

With the exclusive management scopes created it is now time to create admin role groups for ORGA and ORGB administration and discovery management.  The commands shown below will create the admin role groups which are not yet associated with the exclusive management scopes.  During the creation of the groups you can add members to the groups.  In my example I add the “Organization Management” group to the Organization A/B administrators group.  I also add a person with the username AlexD to the Organization A Discovery Management group and a person with the username RobinC to the Organization B Discovery Management group.   Alex and Robin are the discovery managers for their respective management scopes.

  • New-RoleGroup -Name “Organization A Administrators” -Roles “Mail Recipients”,”User Options”,”Mail Recipient Creation”,”Recipient Policies”, “Reset Password” -Members “Organization Management” –Force
  • New-RoleGroup -Name “Organization A Discovery Management” -Roles “Legal Hold”, “Mailbox Search” -Members “AlexD” –Force
  • New-RoleGroup -Name “Organization B Administrators” -Roles “Mail Recipients”,”User Options”,”Mail Recipient Creation”,”Recipient Policies”, “Reset Password” -Members “Organization Management” –Force
  • New-RoleGroup -Name “Organization B Discovery Management” -Roles “Legal Hold”, “Mailbox Search” -Members “RobinC” –Force

With both the exclusive management scopes and the admin role groups created I can associate them together to ensure that the administrators and discovery managers can only manage mailboxes in the scope assigned to their admin role.

  • Get-ManagementRoleAssignment -RoleAssignee “Organization A Administrators” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization A Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization A Discovery Management” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization A Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization B Administrators” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization B Exclusive Scope” –Force
  • Get-ManagementRoleAssignment -RoleAssignee “Organization B Discovery Management” | Set-ManagementRoleAssignment -ExclusiveRecipientWriteScope “Organization B Exclusive Scope” -Force

The discovery managers will need their own independent discovery mailboxes with appropriate permissions so that they can work securely and independently of each other.  The final set of PowerShell script commands below create discovery mailboxes for Organization A and Organization B and then sets permissions.   Notice that I am denying access to the overall default Discovery Management role and ensuring only the Discovery managers for Organization A and B have access to only their discovery mailbox.

  • New-Mailbox “Organization A eDiscovery Mailbox” –Discovery
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Organization A Discovery Management” -AccessRights FullAccess
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Organization B Discovery Management” -AccessRights FullAccess –Deny
  • Add-MailboxPermission “Organization A eDiscovery Mailbox” -user “Discovery Management” -AccessRights FullAccess -Deny
  • New-Mailbox “Organization B eDiscovery Mailbox” –Discovery
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -User “Organization B Discovery Management” -AccessRights FullAccess
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -user “Organization A Discovery Management” -AccessRights FullAccess –Deny
  • Add-MailboxPermission “Organization B eDiscovery Mailbox” -user “Discovery Management” -AccessRights FullAccess -Deny

Creating exclusive management scopes and assigning them to admin roles using PowerShell is a simple process.  Is this the best solution to address the need for separating the management and discovery admin roles to exclusive groups of mailboxes?  It really depends on the organizations need for central management vs. the need to have separation of administration duties.  In some cases it might make more sense to have multiple Office 365 tenants in order to provide complete separation between organizational entities.

Below is a short video that demonstrates the steps outlined in this article.



Download the sample PowerShell script

Running a Secure Service – Exchange Online

When speaking with my customers about Exchange Online and Office 365 one topic is always on the top of their mind;  security and privacy of their data.  Customers want to know how their data will be protected and will it be more secure moving to the Microsoft cloud than remaining on premises (hint: the answer is almost always yes).

Yesterday one of the TechNet blogs called “Ask Perry” dove directly into the security aspect of Exchange Online and answered some of the most frequently asked questions such as:

  • Is Encryption the silver bullet to provide a secure and private service?
  • What are the physical containers and logical boundaries to reduce risk in the service?
  • How does the service employ the concept of “functional boundaries”?
  • How does the concept of “searchable encryption” work with the service?
  • Does the concept of a customer controlled encryption key really reduce risk in a service?
  • What features does the service provide enabling to reduce a customer risk?

To learn the answers to these questions, jump on over and watch the Geek Out with Perry video covering the topic of Running a Secure Service.

Configuring Licenses in SharePoint 2013

One of the most frequently asked questions when I was working with SharePoint 2010 was “Can we have both standard and enterprise client access licenses (CALs) in the same SharePoint Farm?”.   The answer was always yes but with a follow on discussion.  The discussion dove into the challenges for an organization to track and ensure that the users licensed with a standard CAL were not accessing enterprise CAL features.   In SharePoint 2010 organizations were limited to setting up site collections and sites around CAL types.  This type of architecture introduced may issues and blocked some people from easily collaborating with each other.

In SharePoint 2013 a new concept was introduced that enables an organization to define license groups in AD and then map them to specific license types in SharePoint.  This new model has made it much more easier for an organization to track SharePoint licenses, maintain license compliance, and provide better collaboration capabilities to end users.

The video below walks through the simple process of configuring SharePoint 2013 licensing.


For more information you can check out an article published on TechNet called Configure Licensing in SharePoint Server 2013.