Advice needed: Multitenant organization issues
Hey peeps, a client of mine is asking for an optimal solution to their sub-optimal organization structure. I want to see if there's something more I can do here or if we are stuck with our environment the way it is. It's such a strange ask that it will take a few paragraphs to describe, so bear with me. Client has a central corporate entity, but the "branch" entities operate separately and have a fair amount of self-governance. This central corporate entity has a Microsoft365 tenant and that's what everyone's email matches, including branch members. Let's call it corp.onmicrosoft.com with a verified domain of corp.com. So, everyone at corporate and the branches have addresses/UPNs of @corp.com. Before my time, one of the self-governing branches chose to setup a Sharepoint site specific to their branch. They put all the files on a separate 365 tenant of corp-ny.onmicrosoft.com with verified domain corp-ny.com. There are a couple of identities on that 365 tenant, but since everyone uses their corp.com email, they access the Sharepoint data from their primary corporate identities as GUESTS of the branch's tenant. So the branch tenant has 3 members and 100+ guests. We perform IT for just the BRANCH, not the corporate structure. Since corporate IT is not interested in changing infrastructure at this time, we would like to convert all the guest identities on the branch tenant to members and we can then leverage technologies like Intune & CA and move them off of their on-premise AD server that is not doing AD Connect. I have a quick script that will do all of that - convert, license, set some properties for all 100 members. Seems okay! After the change, members will have their corporate identity for email, and the branch identity for Sharepoint and Windows login. We've identified a problem, however, with notifications. When you comment on a file in Sharepoint, a notification is generated for anyone that participates in that file. The notification is sent from the commenter's identity. Currently, that means notifications come from @corp.com . However, after the change those notifications will come from corp-ny.com. This domain does NOT have an MX record associated with it đ and we think this will lead to a LOT of confusion if people try to reply directly to the emails. It might also have the potential(?) to fail email spoofing checks or be flagged as suspicious by email servers. Additionally, the notifications would be sent to their branch identities, which I assume would not deliver. Even if it did deliver and we added an MX record, it would be in an inbox that's not checked by the team. My question is: Can I mask the notification email to be from "email address removed for privacy reasons" for all of the notifications? Or, Can I "spoof" the emails so that they appear to be sent from the corporate identity? Secondly, What's the best way to deal with notifications headed to the wrong inbox? Can a transport rule redirect these emails to their corporate emails?
O365 Email Migration to Another Tenant while Deferring Migration of Sharepoint files
Hi, This is the context: ChildCompany has O365 and it has an Azure AD in hybrid mode synchronizing to a on-prem AD server. They have an internal domain ChildCompany.com, and an external domain ChildCompany.com where they also receive and send email using O365. ParentCompany is going absorb the ChildCompany some time in next year, and I was asked about the integration options. According to this https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf I could do a phased migration, where the end state is that they decomm their onprem AD and that they only use our ParentCompany systems. The business requirement is to start their integration with Email, and then in later phases do the Sharepoint integration as that requires way more analysis on their data sources, as they also have wikis and many other on prem legacy stuff. They are less than 50 users, so I can use Quest migration tools for the email part, but I wonder what needs to happen in what order. This is what I have in mind: Migrate their current O365 into our ParentCompany Office 365 subscription, so that they can continue logging in into their domain joined windows machines using childCompany.co, so they start using ParentCompany.com email addresses, but the problem then is how can they continue using their sharepoint and onedrive resources associated with the Azure and local domain at ChildCompany.com? This is more or less what I have in mind, for the intermediate step, the cutover: Child Company ParentCompany --------------------- ---------------- On-Prem | MS Cloud: | MS Cloud: ---------------|----------------------|-------------- Local AD (ADFS)| Azure Subscription | Azure Sub | Azure AD | Azure AD |--------------------- |--------------------- | O365 Sub -> | O365 Sub | Exchange mailboxes-> | Exchange mailboxes | Sharepoint? -> | ??? | -------------------- |--------------------- I wonder how could it be possible to defer the sharepoint and onedrive migration, so that the child company users can still work on their sharepoint files using their normal auth methods, while disabling childcompany.com as MX so they start using ParentCompany.com mailboxes.Is that even possible? Would make more sense to try to migrate everything at once? That is way more work, but I'm weighting my options.
Modern Auth Looping with Outlook 2016 when Outside Corporate Network
Hello! First time poster, here. In the past ~1-2 months, our travelling users have been running into an authentication loop in Outlook 2016. They will suddenly be asked to enter their password in Outlook (the larger, white, browser-based modern authentication window, not the small Outlook client username/password authentication window). Entering their password will close the window, then the window will immediately pop back up. The Outlook client cannot be used until they come back inside our network and reboot their PC. I was able to immediately reproduce the issue on my work laptop (64-bit Windows 10 1803 running Office 2016 32-bit version 1809) by deleting my Outlook profile, deleting all saved Office-related credentials in the Credential Manager, and connecting my laptop to my smartphone hotspot (to simulate being outside the network). Starting Outlook 2016, I'll create a new profile, connect with my AD account, enter my password in the Outlook 2016 authentication box; my email will actually start loading in Outlook, then the larger, white authentication window will pop up. I enter my password, it will disappear, then pop up again, and on, and on... We have worked with MS Support on this issue for a total of ~7 hours in multiple remote sessions, and here are the troubleshooting steps they took, which all failed: -Using an app password when the MFA browser window asks for the userâs password (âinvalid passwordâ) -Adding âHKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverrideâ to the registry, with a DWORD value of 1 -Using âFiddlerâ to collect logs while the issue occurred (the technician seemed like they had no idea how to use the program, since the certificates installed by the program effectively blocked Outlook 2016 from communicating with the Microsoft servers) -Turning on Outlook logging, and reproducing the issue. The logs were not affected in any way while the looping was taking place, leading us to believe that the issue is taking place outside of the Outlook application. -MS O365 Support then brushed it off as Incident EX152471, which was announced as resolved yesterday evening, but the problem still persists in our environment. The ONLY workaround that we found, is adding "DisableAADWAM" to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\, and giving it a DWORD value of 1. But disabling Web Access Management is not a solution! Can anyone shed any light on our issue? Thank you, --RyanHow to add alias domain for all users?
Hi, There's a company with their company's full name as their domain name and a shorter domain name. So, contoso.com and conto.so. They need all their users to have an alias of contoso.com and conto.so to be their primary email address. This way, they can: Send/Send as/Receive emails as both domain names for the respective users Receive shared files (OneDrive for Business and SharePoint Online) on both domain names for the respective users Call as/receive call/book meeting on Skype for Business using both domain names for the respective users Send and receive calendar shares or event invitations on both domain names for the respective users This needs to be automatic, rather than adding the domain alias for each user. How can this be configured? Thanks,
On-prem Exchange needed for Azure AD Connected MS365 users with a mailbox?
We have an on-prem active directory with users synced to MS365 for their Office 365 logins. Works great. We used to use Zimbra for email, so no Exchange server in sight. We now want to add mailboxes to the users MS365 accounts, and want to confirm if we NEED a full-blown on-prem Exchange 2016 server with a free hybrid config license just to manage things like email addresses, aliases, and other user attributes that are sourced from active directory? I have done this a few times for sites that already had Exchange, but what about MS365 tenants that never had an Exchange server? I guess it's close to Scenario 2 in this article, just want to confirm what is the absolute minimum we should be trying to get away with when adding this to a site with no history of Exchange? Windows 10 and Exchange Management Tools looked like a plan, but that doesn't include Exchange Admin Centre, only EMS and Exchange Toolbox. Is this article still the current situation: https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange Best, Kevin
Authentication in Hybrid Enviroment to Outlook, Teams
Hi all, We have hybrid enviroment. Local AD sync to AAD with AAD Connect. Autentication using Pass-through Authentication and SSO. Exchane Online configured with HMC in Modern Authentication. All works fine. In local AD our UPN is xyz@zyx.local, I configured AAD and users can login to O365 using ther mail adres with routable doman xyz@zyz.com. I have question can I set up Outlook, Teams to using Windows credential? Right now users have to enter ther login and password. In username is fill up UPN alias with xyz@zyx.local it's also bad behavior I know the UPN should be the same as Primary SMTP but we can't do this. Regards' RafalEnabling modern authentication : Impacts
Hi All, In our organization , we are planning to roll out modern authentication for Exchange,SharePoint and Skype for Business which is currently disabled. If we enable it at tenant level, will there be any impact at end user level? We only have Outlook 2016 and above in our tenant. Regards, Saikrishna M
