Exchange – How To HelpDesk

January 17, 2023January 17, 2023

How to get Basic Authentication Azure AD sign-in log

As many of you know it’s been a long time, since Basic Authentication Deprecation in Exchange Online, but now it’s finally shutting down. So best to know if your network or application still using these older protocols or not and if so upgraded to use Auth 2.0. You can find more info here: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437

This will be the last notice 7 Days before it’s shuts down:

Protocols that are in scope for disablement:

MAPI
RPC
Offline Address Book (OAB)
Exchange Web Services (EWS)
POP
IMAP
Exchange ActiveSync (EAS)
Remote PowerShell

Not in scope for this disablement (we are not making changes to):

SMTP AUTH

You can log in to your Azure AD via https://aad.portal.azure.com/ Go to Sign-in logs

You can run the report for the sign-in log to see if any device or user using basic protocols

If you don’t see Client app, you can click on Columns to get options.

If you don’t see the Client app, you can add the filters.

Click on Add filters>Client app

Click Apply

Once you add the Client app

Then Click on the Client app to select the MAPI Over HTTP

Click Apply

You should see if anything using the basic protocols, if you see none that means you are using newer protocols, also make sure to select the Date last 7 days or longer, in case some device or user sign-in once in a while.

If you want to select other protocols you can, just to make sure no one is using it

That’s it, hope it helps some people out there

If you are using osTicket or EWS service you can find a link to one of my posts to update the protocol to Auth2.0:

https://howtohelpdesk.com/how-to-setup-oauth-on-osticket-using-microsoft-365/

or EWS service: https://howtohelpdesk.com/how-to-configure-oauth2-0-using-ews-on-microsoft-o365/

October 24, 2022October 26, 2022

How to configure OAuth2.0 using EWS on Microsoft O365

Upgrading from basic authentication to OAuth is a little harder for many small businesses to configure on the Azure portal. Here are the steps I have done to get our EWS service to get it working. You must have admin rights to do the following.

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose Single tenant and Redirect URI option for Public client/native, if you don’t have a URL you can leave it blank

In case you need to add or change the Authentication platform, you can click on Authentication>Add a platform>Select one that works with your Business needs

Based on your selection, you will need to select the URL option, or your custom URL

Then give API permission

This can be many permissions or just a few, also based on the type of application, you may get different options

Us, we are using EWS service, so we needed office 365 Exchange Online

Then you need to select the type of permission, we are using application permissions

The only thing we can get it working was by giving full_access_as_app

You need to give admin consent to your application, so once you have all permission added, click on Grant admin consent

To create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.

For your application, you will need the following info, which you can find it, here

Application ID
Directory (tenant ID)
Endpoints: authorize and token
- If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
  https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
  https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Value of secrets from the step above

That’s all, hope this helps someone out there who is going through these changes in technologies

August 12, 2021April 15, 2024

How to update Microsoft Azure Active Directory Connect

If you have your AD sync to Microsoft Azure and have installed the Active Directory connect, you may need to update, and here is how to do that

To see the status of sync, you can log in to the Microsoft admin portal at https://admin.microsoft.com

on the home page, you should see Sync Status, click on the Sync staus to get to the details page

You should see something like this: Click on Microsoft Download Center or this link: https://www.microsoft.com/en-us/download/details.aspx?id=47594

It will bring you to the Download page, read the requirements, and download to your software

When you run the setup you may get an error message if you don’t have the TLS enabled
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement

PowerShell command to enable TLS 1.2: got it from the link above, copy from Microsoft so you don’t have typo or if you know how to enable yourself do so

New-Item 'HKLM:SOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:SOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:SOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319' -Force | Out-Null

New-ItemProperty -path 'HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:SOFTWAREMicrosoft.NETFrameworkv4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
	Write-Host 'TLS 1.2 has been enabled.'

Then re-run the AD Connect setup:

Note, if you have a big network, this may take some time, so do off-hours, because it will stop the sync of your AD until the upgrade is completed

You should see the upgrade process and synchronization

Then it will ask you for admin credentials:

If everything goes well you should see, Ready to configure, click Upgrade

Then, the configuration complete

now you can check the status on the admin page

That’s it, hope this helps someone

May 13, 2020May 13, 2020

How to delete Active Directory user with privilege issue

There may be a number of reasons you can’t delete some users from Active Directory, one of them could be domain admin or enterprise admin privileges. Another could be some objects are still in use or not sync up with an exchange, they both have some many references, so can’t delete active directory user with exchange ActiveSync

I had come across one after migration to Office 365, some user account that may have old Exchange attributes that cannot be deleted and you will have to manually give your self full access. here is how to delete those account that has privilege issues.

First you need to change the view to: use the “view -> users, Contacts, Groups, and Computers as containers”

Then go to the user you are having issue deleting, give you self full permission to object then you should be able to delete it

January 31, 2019January 31, 2019

Increase allowed maximum attachment size

On exchange 2010 or may be applied to other versions of on-premise exchange. You have maximum attachment size setting to allow people to send to other users and there are many causes based on settings of, database, mailbox, email spam system, firewall, etc… Also, there is one more on Active sync, which is by default is 10 MB, so it does not matter, if you have allowed bigger attachment. When using the smartphone you will see the server rejected message when your attachment is larger than 10 MB.

You can Open the web.config settings of the Microsoft Active Sync

Then edit the httpRuntime maxRequestLength to whatever you like

After the change is been made, you will need to restart the IIS service to take effect of your new settings. Then you should be able to send bigger attachments from your smartphone. Some other things to be noted, if your mail server allowing bigger attachment that does not mean other mail server will accept bigger attachment. Most spam system scanner inside your attachments and can block if something inside attachment have strange type of content.