The default mailbox retention in Microsoft 365 is 30 days, we can recover deleted/Inactive user’s mailbox to a new user or to a temporary user.
Please note that if you remove license form a user, mailbox will also be removed, once we reassign the license, mailbox will reconnect automatically.
To list all the deleted mailboxes
Get-Mailbox -SoftDeletedMailbox | select DisplayName, PrimarySmtpAddress, WhenSoftDeleted, RecipientTypeDetails, GUID, CustomAttribute6, DistinguishedName
#You can export this list in CSV.
Get-Mailbox -SoftDeletedMailbox | select DisplayName, PrimarySmtpAddress, WhenSoftDeleted, RecipientTypeDetails, GUID, CustomAttribute6, DistinguishedName | Export-Csv C:\Temp\Deletedmailboxes.csv -NoTypeInformation
#In the output file we can find the mailbox information we want to recover.
We can also find just one mailbox from deleted mailboxes.
Now, you can trace the restore using below command
#To get all the restore request.
Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics
#To get just one restore request.
Get-MailboxRestoreRequestStatistics -Identity RestoreRequest
Protecting your Admin accounts in Microsoft 365 is a vital need, we should have MFA enabled for all Admin accounts in M365. Also, it is recommended that at least all privileged users use Microsoft Authenticator App for MFA.
We can have users added to multiple role groups and it is sometime hard to identify who is not complying with these policies.
Below script is available on TechNet to list users from all Role Groups, their MFA details and password age.
Using PowerShell we can get list of users created during a particular time frame, like in last 1 day, 30 days, etc. This may be helpful in AD audit or to track any security breach.
First, create a variable and store the date you want to go back.
Make sure you run the PowerShell as Admin, if you don’t you may get blank values for WhenCreated
$When = (Get-Date).AddDays(-30) # You can change number of days here as per your requirement.
Get-ADUser -Filter {WhenCreated -ge $when}
#IF you want to list particular properties, you can use below command.
Get-ADUser -Filter {WhenCreated -ge $when} -Properties * | FT Name, UserPrincipalName, WhenCreated
We can also get group membership of these users in same command output.
When you are in a Teams meeting and someone is sharing content from their screen. In the new Teams meeting experience Teams meeting window open in a separate window and chat in a separate window and the sharing window size is really small.
We can turn off “New Teams meeting experience” but then we will have one single window for meeting and chat. though, we will have “Full Screen” option and can see large window when someone is sharing screen.
To turn off New Teams meeting experience go to Settings->General->Application -> Uncheck “Turn on new meeting experience”. This option is not available in new Teams versions.
Though, we can increase the sharing Teams window size in new meeting experience also.
To use Full Screen in sharing window.
Click on the “More Actions” (Three dots at the top of Teams Window) -> Click on “Full Screen”
Go to more actions again and click on Focus.
If the Window size is still small, you can also Zoom in the shared window.
Just press Ctrl key on keyboard + (rotate mouse wheel up) to increase Zoom in or rotate mouse wheel down to zoom out.
There are situations when we need to copy one user’s OneDrive data to another user’s OneDrive. For example a user leaving company and his manager wants all the project related files from his OneDrive. By default when we remove user’s license OneDrive data is preserved for 30 days which can be increased. If we want to preserve files longer than this, we can either enable retention hold on OneDrive or copy data to another user’s OneDrive.
We can follow below process to Copy OneDrive data.
When an employee leaves your organization, the management wants to access their data to review it and give it a new employee or want to backup the data.
Once you remove the license and delete the user, you will have 30 days by default (can be increased from OneDrive admin center) to access user’s OneDrive data, after 30 days the data will be deleted.
We can allows other users to access OneDrive data using below methods.
Option 1 – Using user’s OneDrive link from M365 Admin center
In the admin center, go to the Users > Active users page. Select a user. In the right pane, select OneDrive. Under Get access to files, select Create link to files.
Click on this link and you will get redirected to the user’s OneDrive in your browser window.
Replace OneDrive with mngsiteadmin, so the link will become line below.
Add the new user in the permissions list and click Ok. don’t remove any permissions from here.
The new user will have permissions to the OneDrive
Option 2 – Using SharePoint Admin Center.
Login SharePoint Admin Center
On the left hand pane open the “more features”
Under User Profiles, select Open.
Under People, select Manage User Profiles.
Enter the user’s name and click Find.
Right-click on the user’s name and select Manage Site Collection Owners.
Add a secondary admin in the “Site Collection Administrators” and Click OK
We can generate OWA login report in Exchange servers using IIS logs, we need to use log parser to get the designred report.
For example, if you want to get report of OWA logins for 10 days for all users.
Download and install log parser and log parser studio on a server and note down the path.
On one of the servers where you have enough space create a folder in C: Drive named “OWALogs”
Copy 10 days logs from C:\inetpub\logs\LogFiles\W3SVC1 from your Exchange servers to C:\OWAlogs
Create a subdirectory under C:\OWAlogs called MergedOWALogs
Open an elevated CMD on the server, where you had installed Log Parser.
Now, Navigate to :- C:\Program Files (x86)\Log Parser 2.2>
Run the below command
logparser.exe -i:iisw3c “select * into c:\OWAlogs\MergedOWALogs\merged.log from c:\OWaLogs\*” -o:csv”
It will take time according to the size of logs and then create a file Merged.log inside C:\OWALogs\MergedOWALogs
Now run below command.
LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\OWALog\MergedOWALogs\Merged.log TO C:\OWALogs\Output.csv WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’
It will take time according to the size of logs.
It will create a file C:\OWALogs\Output.csv
You can ZIP this file and copy your to desktop, you can then apply desired filters on this file to get results you want.
If the above command doesn’t work in CMD you can run below commands in PowerShell.
You see some issues when trying to connect your file shares and get “Access Denied” error, also see events 5827 and 5828 in Domain controller Event Logs.
In your storage logs you also see error – AUTH: Domain Controller error: NetLogon error 0xc0000022: – Filer’s security information differs from domain controller
The cause of this issue is a patch which was released in two pashes and Microsoft has added these event
August 11, 2020- Initial Deployment Phase
In August, Microsoft released the first phase of a two-phase fix to force secure RPC with Netlogon.
This will flag all the no-secure RPC endpoints and will generate a warning in your event logs on domain controllers.
EventID 5829 triggers whenever a vulnerable Netlogon secure channel connection is allowed
February 9, 2021 -Enforcement Phase
The second phase activates an enforcement mode. “The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.
EventID 5827 and EventID 5828 trigger if vulnerable Netlogon connections are denied.
For non-Windows devices acting as a DC, these events will be logged in the system event log when using vulnerable Netlogon secure channel connections. If one of these events is logged
Recommended – Work with the device manufacturer (OEM) or software vendor to get support for secure RPC with Netlogon secure channel
Vulnerable If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy described below.
Allowing vulnerable connections from 3rd party devices.
Use the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy to add non-compliant accounts. This should only be considered a short-term remedy until non-compliant devices are addressed as described above. Note Allowing vulnerable connections from non-compliant devices might have unknown security impact and should be allowed with caution.
Create a security group(s) for accounts which will be allowed to use a vulnerable Netlogon secure channel.
In Group Policy, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Search for “Domain controller: Allow vulnerable Netlogon secure channel connections”.
If the Administrator group or if any group not specifically created for use with this Group Policy is present, remove it.
Add a security group specifically made for use with this Group Policy to the security descriptor with the “Allow” permission. Note The “Deny” permission behaves the same way as if the account was not added, i.e. the accounts will not be allowed to make vulnerable Netlogon secure channels.
Once the security group(s) is added, the group policy must replicate to every DC.
Periodically, monitor events 5827, 5828 and 5829 to determine which accounts are using vulnerable secure channel connections.
Add those machine accounts to the security group(s) as needed. Best practice Use security groups in the group policy and add accounts to the group so that membership is replicated through normal AD replication. This avoids frequent group policy updates and replication delays.
TechCognizance 