Microsoft Azure and Office 365 Canadian Region Datacenters Now Live

by Ed Sparks

An announcement we've all been waiting to hear finally happened today. Microsoft has indicated that they have launched the Canadian datacenters, which are located in Toronto and Quebec City. 

We look forward to moving all of our Canadian-based clients to this new infrastructure, and all of the new opportunities it will bring for industries that were previously blocked from using Microsoft's cloud services.

Following up from our announcements of new datacenter regions in Japan, Australia and India over the last 18 months, today we are announcing the general availability of a new Office 365 datacenter region in Canada. The new datacenter region adds in-country data residency, failover and disaster recovery for core customer data at rest to customers in Canada. Canadian customers continue to have access to the full breadth of productivity and collaboration services available in Office 365 today.

The full announcement is available here.

Contact us today for assistance with your Exchange, SharePoint or VM cloud migration.

Office 365 / Azure AD Password Synchronization Security

by Ed Sparks

We are often asked by customers how secure it really is to synchronize their passwords to and from Azure AD, be it standalone or as part of Office 365.

Our short answer:

The passwords themselves are never sent over the wire in either direction. In all cases only password hashes are sent.

The longer answer is easily derived and supported both from TechNet articles and various third-party sites. The key take-away is that only the hashes are ever retrieved, additional encryption applied, and then that is sent to Azure AD or back.  The passwords themselves are never used or sent.

From TechNet:

The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reversed in order to gain access to the user’s plain text password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service.

When synchronizing passwords using the password sync feature, the plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services.

Additionally, there is no requirement on the on-premises Active Directory to store the password in a reversibly encrypted format. A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory. The digest of the password hash cannot be used to access resources in the customer's on-premises environment.

From A Third-Party

An independent company that makes SharePoint and Office 365 tools also performed their own analysis, down to the packet capture level. What they found was:

The hash over the wire that is captured is not an MD4 hash of clear text password. It is a secure PBKDF2 key derived from SHA256 hash of the MD4 hash (derived from crypto API documented at per RFC 2898.

Read more at their blog post:

Overall we're very confident using this functionality at our customer deployments, and Microsoft have created a well thought out and secure implementation.

Microsoft Finally Building Canadian Data Centres and Region

by Ed Sparks

We were very excited today with Microsoft's announcement that they will be building data centres in Ontario and Quebec, and creating a Canadian region for Azure and Office 365.

This will dramatically expand the potential to help more of our customers move their data to the cloud, while ensuring they meet privacy and regulatory requirements to keep data in Canada.

Unfortunately, this doesn't appear to be live until 2016, but superb news nonetheless.

They even flew Kevin Turner in to help make the announcement.

Microsoft today announced plans to deliver commercial cloud services from Canada. Azure, Office 365 and Dynamics CRM Online will be delivered from Toronto and Quebec City in 2016, further strengthening Microsoft’s footprint in Canada’s competitive cloud landscape.

These new locally deployed services will address data residency considerations for Microsoft customers and partners of all shapes and sizes who are embracing cloud computing to transform their businesses, better manage variable workloads and deliver new digital services and experiences to customers and employees. General availability of Azure is anticipated in early 2016, followed by Office 365 and Dynamics CRM Online later in 2016

The full press release is available here.

We look forward to helping more Canadian customers migrate to the cloud soon!

Contact us today to get planning!

So, Office 365 is what, exactly?

by Ed Sparks

As we help more and more of our customers migrate from their existing on-premise Exchange 2007, 2010 and 2013 environments to the Office 365, the number one question we get is: "So, umm, what is Office 365 again?"  The biggest misconception that exists (and one we're not entirely sure how it came to be) is that Office 365 is the actual Office software suite, versus the cloud services. Microsoft's ever-growing and ridiculous amount of versions and names certainly doesn't help the cause.

Blogging genius, and all around swell guy Paul Thurrott once again does a great service to the community by summarizing the many, many options available. 

Which Office 365

Microsoft offers a wide range of Office 365 subscription plans that target individuals, households, and businesses (and business-like entities) of all sizes. But given the tremendous value and the sheer amount of choice here, how do you choose? Ultimately, it just comes down comparing the consumer and business versions of Office 365, and then understanding the benefits of each subscription.

Now that you've figured out which version you want and need, get in touch with us and let us help with your migration.  We'll do it right, the first time.


Smarter Room and Equipment Booking Response Emails in Exchange

by Ed Sparks

Room and Equipment mailboxes are extremely useful in Exchange, especially when combined with the Resource Booking Attendant to automatically accept or reject invites.

What isn't well implemented is the ability to have the Booking Attendant respond with information that is relevant to the response.  Microsoft provide's the More Information option which allows the response to include some extra text, but this information is unfortunately sent with every response - accept, deny, or change.

For resources like conference call lines, or specialized meeting rooms with booking restrictions this can lead to confusion.  Why is the room denying my request, then sending me useful information about the room?  

Behold the Transport Rule

To work around this limitation, an administrator must instead turn to the flexibility of Transport Rules.  Transport Rules allow for the checking of the response type and then including more relevant information for the end user.  Why was my request denied? What do I do next? What do I need to know about the resource?

The trick to making these work is the Append Disclaimer Text Rule Action, which will then allow some basic HTML to be entered.  This will get appended to the response message from the Booking Attendant (below the canned information that Exchange adds).  One caveat is that due to the way Exchange and Outlook utilize embedded special messages for Calendar Response Emails, most HTML is stripped.  Therefore the disclaimer text should only use very simple HTML tags like <FONT>, <B>, <BR>, etc. Most notably Tables and CSS will be stripped. However, if all your users are using OWA instead of desktop Outlook, quite full featured HTML is allowed. YMMV.

Putting it all Together

  1. Modify all of your Resource Mailboxes to remove any Add Additional Text settings under the Resource Information tab.
  2. Create a new Transport Rule under Organization Configuration/Hub Transport.  One rule for each type of response is necessary.  i.e. "Room Booking Accepted" and "Room Booking Denied for Permissions" or "Room Booking Conflict"
  3. For the Condition of the rule, choose the From People and When the Subject Field or Message Body Contains specific words.  Be sure NOT to choose the text patterns option, as this will not work for calendar responses.
  4. Click on these new rule conditions in the bottom pane and select each of the Resource Mailboxes in the From settings.  Then, in the subject or body selection, type the exact phrase that is part of the appropriate built-in Exchange meeting response.  For example, "your request was accepted" (no quotes)
  5. Click next, then choose Append disclaimer text and fallback to action if unable to apply for the Action.  Click in the bottom pane on append and enter the raw HTML for your response.  It is best to create and test the HTML elsewhere, than paste it into the box as there is no sort of preview or editor.
  6. For the rest of the settings of the Transport Rule accept the defaults.  Finish and close the rule.
  7. The responses should work within about 30 seconds of creating or modifying the rule
  8. Repeat as necessary for different resource types and responses. 

Note, this works equally well for Office 365/Exchange 2013/Online, but obviously the steps are slightly different through Exchange Admin Center.  An additional item to keep in mind is that it is unfortunately not possible remove the embedded canned response text that Exchange always includes. We refer to this as the "above the line" text, as exchange puts a horizontal rule and "Sent by Microsoft Exchange Server..."

This method has been of tremendous value to many of our clients to get much more useful responses, and happier staff.

Need help configuring this in your environment? Is your Exchange server out of control?  Contact us today!

Office 365 (Small) Business Plans now on par with Enterprise

by Ed Sparks

Transport Rules in Office 365 Small Business 

Microsoft rolled out the consolidation and updates to their Office 365 plans back in October 2014, which was a huge step in the right direction for the service.

Not only did they simplify down to fewer plans (a rare move for Microsoft!), they also finally unified the administrative UI for all.  No longer will we have to remember obscure URLs (I'm looking at you Exchange Control Panel), or muddle our way through a mix of confusingly different admin sites.  On top of that, you can now have up to 300 mailboxes in the Business plans, and can mix and match Business, Enterprise and Standalone SKUs all in the same account.   FINALLY!

Somewhat lost in this news - but a very welcome change - is that the actual back-end infrastructure is now the same for all of the services.  That means Business customers now get virtually all the power as Enterprise customers.  Of particular interest is Transport Rules.  A glaring absence in previous Business plans, these are now fully available across the board.  You should drop everything and go enable a Transport Rule to "Block Executable Content" on ALL of your Office 365/Exchange Online domains.  This is a superb anti-malware step that makes every admin's life easier.

Now, in true Microsoft fashion, this transition couldn't be simple.  Everyone on an existing Small or Medium Business Plan will need to either manually force an upgrade to the new plans (and thus, we're assuming, get migrated behind the scenes to new infrastructure) or wait until October 2015!  

No problem, you say, we've got our old friend the Switch Plans Wizard. I like wizards!  Switch Plans will let you upgrade early, except when it won't.  Which seems to be most of the time.

Currently it won't work if there are ANY open service Incidents under the Service Status page. Additionally, upgrades to the new plans aren't available if you have more than one type of existing Plan.  Small Business and Small Business Premium? Nope.  Old P Plan mixed with newer Small Business Plan.  Nope.  

However, there does seem to be a workaround.  Pick your largest group of existing subscriptions and cancel the others temporarily  (i.e if you have 10 Small Business and 2 Small Business Premium subscriptions, keep the Small Business and cancel the Premium.)  Nothing will happen to your mailboxes or users.  The users and licenses will just temporarily go into a licensing holding pattern on Microsoft's side.   Users won't lose access or notice anything.  You will, however, get a temporary warning about license problems in the Admin Portal, though.

At this point the Switch Plans Wizard under the Billing section of the Portal should now allow you to upgrade your existing Small or Medium Business Plans to the equivalent Office 365 Business Essentials or Business Premium plans.

The New Plans

Just like that you'll be migrated and have a much more powerful and easy to administer service!  The bonus? They're cheaper, too.  Also - remember to then go back and purchase the equivalent new versions of the other licenses you cancelled.

Here's Microsoft's original blog post on the topic:


Update:  We've clarified this process with a recent transition, and it's still far more complicated than it needs to be.  Microsoft really needs to make this simpler.
When removing multiple types of license to temporary consolidate down to a single license type, it will still take 30 days by default before the license type is "deprovisioned" from Microsoft's systems. Only after that time has passed can the Switch Plans wizard be used.  

It is possible, however, to open a ticket with Microsoft to have an "Expedited Deprovisioning" performed on a license.  This happens within 3 days, and requires filling out a special form, and you must first ensure that you have temporarily assigned a different license to all active users first, or there is risk of the users and mailboxes being deleted.

Need Office 365 Migration Help?  Want us to do the hard parts for you?  Contact us today.

Exchange Online (or EOP) Transport Rules and Distribution Groups

by Ed Sparks

When creating a transport rule that is meant to apply to a Distribution Group in Exchange Online (or EOP or Exchange 2013 for that matter), often an administrator will attempt to use "The sender is" or "The sender address includes" or look for text in a the "To:" header.  

Unfortunately, none of these options will work due to the way that Exchange appears to first expand the Distribution Group, then checks the Transport Rules.

This information is non-obvious and buried in the Transport Rule Conditions documentation.

Symptoms of this issue are that the transport rule won't fire, and as a result any actions will be skipped.

So how do you work around this?  Use a condition of "The To or Cc box contains" in the rule, and it will correctly check for the SMTP address of the Distribution Group.  It does not appear possible, however, to check for a BCC to a DG.

Administrators must also be careful not to use "The Sender is a member of" or this rule will apply to all emails received by users who are a member of the list, which can have major negative effects.

On the other side of the Transport Rule fence is trying to use a Transport Rule Action of Forward or Redirect a message to a Distribution Group.  This will appear to work, then throw an error when the rule is saved:

The transport rule can’t be created because [email protected], the recipient to be added by a rule action, is a distribution group. Transport rules can’t add distribution groups to messages.

This is a known issue, and the only workaround in this instance is to create a hidden Shared Mailbox.  Change this Shared Mailbox's Delivery Options to Forward mail to your Distribution Group only, then set the Transport Rule to Redirect or Forward to this new Shared Mailbox.  Clunky, but it works.