Thursday 24 March 2016 is now!

I've rebranded my blog!

As we embrace the cloud, I would imagine we won't see the traditional Microsoft waves anymore, but this will do for now until I rebrand once more.

More Office 365, Skype for Business, Exchange Server and Azure MFA posts coming soon. Maybe with a splash of EMS!

Take care,

Oliver Moazzezi – Office Servers and Services MVP
Twitter: @Olivermoazzezi

Thursday 17 March 2016

Office 365 - Allow Distribution Groups to receive email externally

I published this script on the TechNet Gallery yesterday. You can find it here:

The script will connect to your tenant and allow each Distribution Group to receive email from an external address, rather than only from within your Org which is the default.

The script supports the –CSV parameter, this is for when you just want to externally enable a subset of distribution groups as you do actually want some to be internal only.

Anyhow here's a quick guide to the script in action.

Run the script

Take some time to read the intro – it does give you some good information like, for example, the –CSV switch. Hit Y to continue

Once you've said Y, it will ask you for the tenant domain, now I have done this because if you're using an account that isn't an admin of the tenant (or an account with the relevant RBAC rights), you can actually connect to a tenant under the Partner model

It will ask you to confirm you details, Y to continue

Enter your credentials for the tenant

It will now connect to Exchange Online

And prompt you to confirm you've connected to the right tenant (again if you're going in with your Partner Admin credentials over a tenant you are helping to administer)

Hit Y to start making the changes

Once it has completed it will give you a summary of the total number of distribution groups found, and the changes made, and also give you a total of any that have not had any changes made (which will be ZERO unless you have used the –CSV option)

That's it!

If you want to only enable it for certain distribution groups use the –CSV switch and create a CSV with a column for 'Identity' and the names of the Distribution Groups.

If you are running direction synchronisation with AADSync or AADConnect, and synchronising Groups, then this script isn't for you, you must make the change on-premises and the change will be synchronised to Exchange Online. If your Groups are Cloud based however, and you're only synchronising Users - then this will work for you.

Take care,

Oliver Moazzezi – MVP Exchange Server
Twitter: @Olivermoazzezi

Friday 11 March 2016

Office 365 DKIM: No DKIM keys saved for this domain

I had the pleasure of enabling DKIM for an Office 365 tenant yesterday. I won't go into any details on how you do it, as that's been covered many times by various bloggers out on the internet.

One thing did get when enabling it however, was that a domain that was added to the tenant afterwards, wasn't able to be enabled for DKIM. It simply sat there stating "No DKIM keys saved for this domain".

This post is on how you resolve it.

So let's take a look at the issue. I login to the Exchange Admin Center, select |Protection, then |dkim

You can see the domain status states "No DKIM keys saved for this domain". If I check others you can see they are either in an enabled state, or available to be enabled:

So how do we resolve it? Well you'll need to use Powershell.

Let's open a session to the tenant and check the status of DKIM signing for all domains by using Get-DkimSigningConfig. You can see in the below Powershell window the domain isn't stated at all.

As '' simply isn't there, we need to add it. To forcefully add it and get Office 365 to realise it's there to use, let's run this Powershell command:

New-DkimSigningConfig –DomainName "The domain that has the error message" –Enabled $true

We will get a CNAME error if we haven't set the CNAME records up, which isn't an issue, just means we'll have to do them before we can enable it.

So what's the status of this domain look like in the EAC now?

Fantastic! You can see the error "No DKIM keys saved for this domain" is removed and we can enable it (once we've done those CNAME records!!)

Out of interest, running Get-DkimSigningConfig now shows the domain in the list and set as disabled.

Oliver Moazzezi – MVP Exchange Server
Twitter: @Olivermoazzezi