Office 365 Password Expiration Policy

This topic applies to Office 365 Enterprise, Office 365 Business Essentials or Office 365 Business Premium.

User passwords expire on a regular basis in Office 365. Global and delegated admins can make the user’s password expire after a certain number of days or set the password to never expire. Admins can also change the number of days before users are notified of password expiration.

  1. Sign in to Office 365 with your work or school account.
  2. Go to the Office 365 admin center.
  3. Go to Service settings > Passwords.
  4. If you don’t want users to have to change passwords, select Passwords never expire. If you select this option, users won’t get any reminders anymore to change their passwords.
  5. If you want user passwords to expire, type the number of days before the password should expire. Choose a number of days from 14 to 730.
  6. Type the number of days before users are notified that their password will expire, and then click Save. Choose a number of days from 1 to 30.

See Microsoft Office 365 Support page

 

Exchange – room and equipment resources

A “Resource” is a “contact” in an Exchange/Outlook Calendar that represents a room or a piece of equipment. In the same way that a person can have an email address and can be assigned to meetings, rooms and equipment can be treated the same way in Exchange.

Equipment can include anything from a mobile phone to a fleet vehicle.

Resources are established by an Exchange administrator by creating a unique name and assigning an email address to the resource. Users who have access to Exchange can access a resource list to create a meeting and they can “invite” the resource to the meeting just like setting up a meeting with a person. Network administrators are needed to create and configure resource accounts because these kinds of accounts are created and managed in Exchange Active Directory, which requires expert knowledge.

If the resource is available for a “meeting”, it can be reserved by the user. That resource is then removed from the list of available resources until its “meeting” is finished. If the resource is already reserved for a meeting, it cannot be used. Values can be attached to resources, too. For instance, a limit can be set so that a room can only accept a maximum number of people at a meeting. Also, equipment limits can be set so that a laptop can only be in use once.

The system is scalable and can cope with large volumes and types of resources including equipment. Universities use Exchange resource accounts to manage their rooms and equipment distribution on campus.

Outlook’s includes a scheduling assistant which graphically charts availability of resources.

There are two kinds of resource mailboxes:

1. Room mailboxes –  A room mailbox is a resource mailbox that’s assigned to a physical location, such as a conference room, an auditorium, or a training room. After an administrator creates room mailboxes, users can easily reserve rooms by including room mailboxes in meeting requests.

2. Equipment mailboxes –  An equipment mailbox is a resource mailbox assigned to a resource that’s not location specific, such as a portable computer, projector, microphone, or a company car. After an administrator creates an equipment mailbox, users can easily reserve the piece of equipment by including the corresponding equipment mailbox in a meeting request.

Resources can be reserved in a calendar using Outlook Web Access or with desktop installed versions of Outlook. If other users need to see resource usage, consider shared calendars or group calendars. Once you have decided how to organize your calendar, follow these steps for OWA or Outlook client for desktop.

1. Reserving rooms resources using Outlook Web Access (OWA)

– log in to OWA at http://mail.office365 using your email address and password.
– click down the app menu, and then click on Calendar, as this screenshot shows:

1 OWA dashboard

– in Calendar, click “new” to create a new event:

2 _new_calendar_event

– Fill in the form, making sure the event is something that is meaningful when viewed in the calendar. There are two ways to reserve a location or a room. Firstly, you can click the “add room” button to display the room resource available. Secondly, you can click open the Scheduling assistant to find a view of resources that are already committed to meetings. The scheduling assistant is useful because it show what resources might already be reserved when you want to use it. You can add rooms using the scheduling assistant.

You can reserve rooms and equipment for one meeting. To add equipment, you must select it from the “attendees” button which sits behind the dropdown menu in the illustration below. When you have finished creating your event, be sure to click “save”.

3_room_resource

2. Reserving equipment resourcing using Outlook Web Access (OWA)

The process for reserving equipment resources differs from the method for reserving rooms. Firstly, there is not a button like the “add room button illustrated above. Instead, equipment is selected from the attendees button which you can see in the illustration below. Lastly, equipment cannot be selected in the scheduling assistant, although the scheduling assistant lists equipment which is being used. Unless you are sure the equipment you want is available for a meeting, you should always check the scheduling assistant to save work.

4_select_equipment

Note that in this example, a room resource has already been assigned to the meeting. The location reserved is Workshop 1, and the room is included in the “Attendees” field. Also, the “add room” button has changed to “change room”. When you select equipment, it will be added to “Attendees”.

When you have finished creating your event, be sure to click “save”. You will receive an email either accepting or declining the event. Events are usually declined because of conflicts, or because the reservation duration or date falls outside the scope of scheduling.

Exchange Kiosk POP Settings

Exchange Kiosk POP Settings

Exchange Kiosk is a bolt-on for Office 365 Enterprise licenses. Exchange Kiosk suits mobile users who do not use permanent workstation services but need mobile access to email, and optionally Sharepoint. The service does not include Office applications, and although Kiosk connects to tablets and mobile phones with ActiveSync, workstation and laptop access via Outlook uses POP3 settings.

The service is a useful way to reduce licensing costs for small businesses who have a PC at home, but need enough licenses to provide two or three independant licenses. In this case, Kiosk can be added to an Office 365 tenancy, whereas Hosted Exchange licenses require their own tenancies.

Exchange Kiosk is not available to Small Business Premium or domestic Office 365 licenses. Kiosk is designed for Active Directory, and is only available to Enterprise licenses (E1, E3, etc.). These screenshots display Kiosk POP3 settings for Outlook:

general pop settings

 

pop_settings_exchange_kiosk_2

pop authentication

Using Shared email accounts in OWA

Using Shared email accounts in OWA

If you have full privileges to a shared mailbox that appears in an Exchange address book, you can use Outlook Web App or a desktop version of Outlook (for example, Outlook 2013), to open that mailbox.

Shared mailboxes allow a group of people to monitor and send email from a public email alias, like info@contoso.com or contact@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared mailbox, not from the individual user. You can also use the shared mailbox as a shared team calendar.

The admin for your organization has to create the shared mailbox and add you to the group of users before you can use it.

Display a shared mailbox using OWA

Use this method to monitor email from your primary mailbox and the shared mailbox at the same time. After you complete this task, each time you open Outlook Web App, the shared mailbox and its folders will display in the left navigation in Outlook Web App.

  1. Sign in to your account in Outlook Web App.
  2. Right-click your primary mailbox in the Folder pane, and then click Add shared folder.
  3. In the Add shared folder dialog box, type the name of the shared mailbox, select the name, and then click Add.

The shared mailbox displays in your Folder list in OWA. The shared mailbox will appear there each time you access OWA. You can expand or collapse the shared mailbox folders like you can your with your primary mailbox. You can remove the shared mailbox if you no longer want to view the shared mailbox in your folder list. To remove it, right click the shared mailbox, and then click Delete.

Display a shared mailbox in standalone mode

Use this method if you want to view and manage email for a shared mailbox in a its own browser window, rather than rendering the shared mailbox folder in OWA’s navigation tree.

  1. Sign in to your account in Outlook Web App.
  2. In the Navigation bar on the top of the Outlook Web App screen, click on your name. A drop-down list will appear.
  3. Click Open another mailbox.
  4. Type the email address of the other mailbox that you want to open. Another Outlook Web App session will open in a different window allowing access to the other mailbox.

Tip    If you mistype the email address of the mailbox, a second window will open up stating that the webpage can’t be found. Try retyping the email address again.

Note also that shared mailboxes also attach to a calendar function. A shared calendar is established when administrators create a shared mailbox so that group members have mutual access and privileges to a shared calendar.

Managing tenants using Powershell

Managing tenants using Powershell

Whereas Powershell’s implicit security complicates connectivity to remote servers, authentication provides network administrators with utilities that extend far beyond GUI driven interfaces like Exchange Administration Console (EAC). This article explains how to initiate and terminate remote sessions to third party tenants.

When Powershell is properly configured, network administrators need three commands to open a session, and one command to close a session. Once connected, administrators assign a variable to call tenant ID which in turn enables connectivity to client servers.

Opening a Powershell Session

Import-Module MSOnline
Connect-MsolService
$tenID=(get-msolpartnercontract -domain domainname.com).tenantId.guid

To terminate a session:

Remove-PSSession $Session

Connection script

An unsigned script which automates the commands above and additionally calls the snap-in module for Exchange is available at ComStat’s Script page. If loaded to local drive c:\script, the Powershell command looks like:

c:\script\EXO-Connect.ps1

To test the snap-ins are loaded on sign in, run this command:

get-mailbox

Remember to sign out of sessions using

Remove-PSSession $Session.

Explanation & Concepts

Administrators can handle common management function with Office 365 and Exchange control panels. Occasionally, delegated network administrators need to configure client side processes that Office 365 and EAC does not provide for. Also, Powershell can run one command across several servers simultaneously.

For guidance on Microsoft’s current provisions for advanced management of client tenancies, check here.

Windows PowerShell cmdlets for Office 365

Before using Powershell with Office 365 for the first time, Powershell needs some utilities.  Users need to install “MS Online Service Sign-in Assistant for IT Professionals”. Also, the commands that Powershell relies on for Office 365 management are housed in “Azure Active Directory Module for Windows Powershell”. Follow the guidance here to install these services. Another useful download is “Windows PowerShell Module for Lync Online” here.

Cmdlt modules do not install directly into Powershell. Instead, these “snap-ins” sit in a separate directory and called when they are needed for sessions. Modules are managed this way to enable users to rapidly update Powershell’s main cmdlt library, which is updated frequently and is available for download by running this update command:

update-help -force

Using Powershell as a tenant’s global administrator

Delegated administrators can login to client tenants with a tenant’s global administrator credentials if they are available. From a security standpoint, this is not good practice. However, to test Powershell is adequately equipped and session execution policy permissions (more about this below) are properly set, it is worth running a simple script to test the Powershell. For instance, the following script can be used to view basic tenant information on either caistar.com or comstation.co.uk. The script, together with other scripts listed in this article, are available at ComStat’s Sharepoint script site.

c:\script\MSOLTenantDetails.ps1

– more information about this script is available here. At time of writing, this script is unsigned. Depending on your Powershell environment, you may need to run this command:

Set-ExecutionPolicy Unrestricted

Powershell imposes a strict security policy. The policy requires scripts to be “trusted”, and by default Powershell will not execute unsigned scripts. Signing scripts can be done within Powershell. This prevents scripts being tampered with, for example with additional commands that may be malicious. Since the scripts used here are short and can be quickly previewed, another approach when opening Powershell is to run the following command:

Set-ExecutionPolicy Unrestricted

For access to a client’s tenant, follow the guidance below.

Establishing a remote Session

Open Powershell and run the following commands:

Import-Module MSOnline
Connect-MsolService

When prompted, enter the credentials that you use to log into Office 365 portal (MOP) and that allow you to manage Office 365 on behalf of your customers.

Once logged in to Caistar or Comstation, the session will provide for connectivity to other servers to which delegated administration is granted. Commands are run as if executing on the administrator’s server, however each command is programmed to call a variable which points to the target server.

$tenID=(get-msolpartnercontract -domain domainname.com).tenantId.guid

In this case, we establish a variable called “tenantID”. The variable is assigned using the command $tenID= and then a sub routine is executed to call the client’s tenant ID by reference to the domain name associated with the account. Office 365 tenant IDs are longer than credit card numbers, so by calling the tenant ID from client’s domain name and then calling the output “tenantID”, this saves a lot of keystrokes. Here is an example, using hafodrenewables.co.uk (tenant ID = acc617f5-9d4a-4ea9-8823-2385e7d5271a)

$tenID=(get-msolpartnercontract -domain hafodrenewables.co.uk).tenantId.guid

Succesful command execution returns the user to the command prompt. From now, on, commands executed with -tenantID $tenID will execute functions on client servers. To test connectivity, try running this command after assigning a client to a variable to find users on a client server:

get-msoluser -tenantID $tenID

The important point to understand is that Powershell executes commands on a tenant ID, not a domain name. Also, the variable that references the client’s tenant ID must be called with each command, or commands will be executed on the host server. Lastly, by assigning multiple tenant IDs to one variable, administrators can simultaneously run one command across multiple servers and compile output in either formatted tables or even .html. In this way, tasks that might take hours or days can be run in seconds.

Exchange Commands

List Office 365 users:

get-msoluser -tenantID $tenID

Change a user password which never expires:

Set-MsolUser -UserPrincipalName alias@domainname.com -PasswordNeverExpires $true -tenantID $tenID

Test password change:

Get-MSolUser -UserPrincipalName alias@domainname.com -tenantID $tenID |