Automate Azure Administrative Units in Azure Automation

Azure Automation delivers a cloud-based automation and configuration service that provides consistent management across your Azure and non-Azure environments. It consists of process automation, update management, and configuration features. Azure Automation provides complete control during deployment, operations, and decommissioning of workloads and resources. It can automate frequent, time-consuming, and error-prone cloud management tasks. This automation helps you focus on work that adds business value.

Azure Automation manages across the lifecycle of your infrastructure and applications. Transfer knowledge into the system on how the organization delivers and maintains workloads. Author in common languages like PowerShell, desired state configuration, Python, and graphical runbooks. Common scenarios for Automation:

  • Build / Deploy resources: Deploy VMs across a hybrid environment using Runbooks and Azure Resource Manager templates. Integrate into development tools like Jenkins and Azure DevOps.
  • Configure VMs: Assess and configure Windows and Linux machines with the desired configuration for the infrastructure and application.
  • Monitor: Identify changes on machines that are causing issues and remediate or escalate to management systems.
  • Protect: Quarantine VM if security alert is raised. Set in-guest requirements.
  • Govern: Set up role-based access control for teams. Recover unused resources.

Also, Azure Automation can be used for specific Microsoft 365 tasks, like monitor Office 365 Groups and Microsoft Teams creation, expiration, and changes to those workloads, export mailbox audit logs, fill Azure Administrative Units with user objects, etc.

Many small companies are completely in the cloud and don’t have any kind of on-premises server or management server available to run individual PowerShell scrips. At least, this is a good alternative method for running automated tasks in Azure without existing hardware.

Azure Administrative Units

In a nutshell, Azure AU’s simply groups your users into logical units. It allows you to grant admin permissions that are restricted to a department, region, or other segments of your organization. An admin will be able to perform various tasks against all users within the scope of an administrative unit. More information can be found in my other blog post here.

Azure Automation and Administrative Units

You might have many different logical organization units within your organization and there could be a need to automatically fill Azure AU’s with user objects based on their UPN value or other attributes where your objects should be segmented. Azure Automation and Graph API can help you to automate those things properly.

For security reasons, I prefer the connect to Graph API using a certificate. The advantage is that you don’t have to store secrets (even if you should use Azure Key Vault or a credential asset and never store passwords readable in any of your scripts) and just use the certificate to authenticate against the service. I highly recommend the article of Alex Asplund as he shows how to connect to Graph API in different ways for automation.

In the first step, create an Enterprise application in the Azure portal with your required permissions. As an example, I also use the EXOv2 PowerShell module to securely connect to Exchange Online PowerShell with the same certificate and therefore I added the EXO permissions to my app, too.

Figure 1: Graph API Application Permission

Next, prepare your Azure Automation account and upload your certificate.

Figure 2: Upload your certificate to your Azure Automation account

It’s easier if you define variables for your certificate thumbprint, the AU id itself, and the filtering value for user objects that should be included in this particular AU.

Figure 3: Azure Automation Variables

Last but not least you have to create your runbook with the PowerShell code to connect to Graph API and do the filtering. In this step, use your preferred method to connect, either credentials or certificate, and then you can use this sample function based on UPN filtering to add all user objects to the AU.

# Get all users in tenant function 
Get-AllUsers {     $QueryResults = @()     $Uri = '$select=mailnickname,userprincipalname,mail,proxyaddresses,id'
     do {         $Results = Invoke-RestMethod -Uri $Uri -Headers (Get-RequestHeader) -Method Get -ContentType "application/json"
         if ($Results.value) {             $QueryResults += $Results.value         }         else {             $QueryResults += $Results         }         $uri = $Results.'@odata.nextlink'     } until (!($uri))     return $QueryResults } 

function Get-AdministrativeUnitMembers($unitId) {     $QueryResults = @()     $Uri = '' + $unitId + '/members'     do {         $Results = Invoke-RestMethod -Uri $Uri -Headers (Get-RequestHeader) -Method GET -ContentType "application/json"         if ($Results.value) {             $QueryResults += $Results.value         }         else {             $QueryResults += $Results         }         $uri = $Results.'@odata.nextlink'          }until(!($uri))     return $QueryResults } 

function Add-AdministrativeUnitMember ($unitId, $memberId) {     $body = @{         "" = "" + $memberId     }     $Uri = '' + $unitId + '/members/$ref'     Invoke-RestMethod -Uri $Uri -Headers (Get-RequestHeader) -Method POST -ContentType "application/json" -body ($body | ConvertTo-Json) } 

$TenantName = get-automationvariable WGF_groupAutomation_tenantName $AppId = get-automationvariable WGF_groupAutomation_appId $Certificate = Get-AutomationCertificate -Name WGF_groupAutomation_cert $scope = get-automationvariable -Name AzureAdministrativeUnits_Automation_scope| ConvertFrom-Json 

# Since we cannot filter on UPN at request level we have to get all users and filter the results afterwards
$allUsers = Get-AllUsers $scope | % {     $unitId = $_.administrativeUnit     $filter = $_.filter     $usersInScope = $allUsers | ? { $_.userPrincipalName -like $filter }     $allUnitMembers = Get-AdministrativeUnitMembers -unitId $unitId          foreach ($user in $usersInScope) {         if ($ -contains $ {             write-output ($unitId + ' | Already a member: ' + $user.userPrincipalName)         }         else {             write-output ($unitId + ' | Adding Member : ' + $user.userPrincipalName)             Add-AdministrativeUnitMember -unitId $unitId -memberId $user.Id         }     } } 

You can configure your scheduled runtime settings or just manually start the Runbook and your user objects will automatically appear in the defined Administrative Unit.

A big thank you to my friend and colleague Andreas, who works as a Cloud Automation Architect, who helped my customer and me with the Automation architecture in Azure, the development of this Runbook, and a lot of more automation tasks.

Exchange Online Basic Authentication Settings

Microsoft recently added Basic Authentication settings to the Microsoft 365 admin center (Roadmap). You can now quickly disable/enable Basic Authentication per protocol:

Login to and go to “Settings” and “Org settings”:

Next, click on “Modern authentication” and you can see the configuration options like this:


More information on Basic Authentication, how to use Graph API or OAuth2 for POP and IMAP protocols, also how to use the Exchange Online v2 PowerShell module with Modern Authentication can be found here.

Session slides “password-less authentication in AD FS 2019” from European Collaboration Summit

European Collaboration Summit ( 2019 was an awesome community-driven conference and it was a pleasure being part of it!

You can download my session slides about “password-less authentication with AD FS 2019” here:!ApvEqumCGaOPjJgyXIazPiJpQVXaqA

BRK3081 – Implementing a modern network architecture to get the most out of Office 365

This blog post covers a summary of the session from Paul Collinge and Jeff Mealiffe about a recommended network architecture to get the most out of Office 365.

The enterprise connectivity challenge is that most customers are using a lot of expensive network equipment for the outgoing and incoming network traffic to and from the Internet. For example, proxy servers, WAN accelerator, secure web gateway, intrusion prevention system, etc. All of this network and connectivity equipment is expected because all things outside is unknown and untrusted.The enterprise connectivity challenge

But this model doesn’t fit with the cloud world of Office 365 and causes various connectivity problems.

Continue reading “BRK3081 – Implementing a modern network architecture to get the most out of Office 365”

Exchange Server Preview 2019

Microsoft announced today a preview build of Exchange Server 2019. You can download it here.

“We strongly believe Office 365 delivers the best and most cost-effective experience to our customers, but we understand that some customers have reasons to remain on-premises. Exchange Server 2019 is designed to deliver security, performance, and improved administration and management capabilities. These are the attributes our largest on-premises customers tell us they need from Exchange. We also have features end-users will love too of course.”

Read more at the EHLO blog.

Centralized Mail-Transport In Exchange Multi-Forest Environments

Outbound messages to the Internet are routed from the Exchange Online organization through your on-premises organization. With the exception being messages sent to other recipients in the same Exchange Online organization, all messages sent from recipients in the Exchange Online organization are sent through the on-premises organization. This enables you to apply compliance rules to these messages and any other processes or requirements, like digital sign emails at your smtp gateway, or that must be applied to all of your recipients, regardless of whether they’re located in the Exchange Online organization or the on-premises organization.

Read more at the ENow Software Blog.

Delegated Administration with Azure Active Directory Administrative Units

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 admin center and Windows PowerShell.
This is especially true for large organizations or universities with multiple brands or decentralized administration within a single Office 365 tenant, the default admin roles can cause headaches. While the delegation of permissions in Exchange Online works very well with Role Based Access Control (RBAC), other applications and services are hard to manage at a granular level. For example, license management or helpdesk for different countries, brands, and organizations. In these organizations, only a subset of administrative users are allowed to edit properties based on their region or brand.

Read more at the ENOW SOFTWARE BLOG

Exchange Hybrid MRS vs. MigrationService Migrations

I would like to share some Exchange 2010 hybrid migration facts with you that we figured out.

First, again many thanks to Michael Van Horenbeeck! He helped me discuss this with a customer. I’m always very happy to work with him. And many thanks to Ben Winzenz and Jeff Kizner as well, I’m very grateful for your help.

In short: a customer is trying to keep about 65k mailboxes in sync to ensure a short cutover time. We are using a maximum of 1,500 mailboxes per batch, 5 batches per week, and switching 7,500 mailboxes with an overall data of about 5TB per week. For some technical details, we are using Azure ER (800 Mbit) for migration with 4 TMG as a proxy and some kind of F5 load balancing in between, PAW is activated, and two migration endpoints with each 100 sync/complete in parallel. We did some networking measuring and move request statistics and we had an average migration velocity of 18.6GB/h for batches starting the first incremental sync (0% to 95%) which is great. Of course, the migration velocity depends on the number of batches, mailboxes, mailbox items, network workload, etc.

Continue reading “Exchange Hybrid MRS vs. MigrationService Migrations”

Delegated Administration in Exchange Online

My colleagues and I are working on a (pilot) multi-forest Exchange hybrid environment with a single Office 365 tenant. In this early stage of the project we will have two companies, each with their own on-premises environment. One of the requirement is a delegated administrative concept for Exchange Online, which means administrators and helpdesk workers should only manage and configure settings for their specific domains. This blog post will show you how to handle this with Role Based Access Control (RBAC).

Read more at the atwork blog.

Troubleshooting Active Directory Federation Services

Enabling single sign-on for your users must not be a big deal. There are multiple hybrid identity authentication scenarios available to obtain single sign-on capabilities to your users:

  • Active Directory Federation Services (AD FS): single sign-on, based on one identity in your on-premises Active Directory and publishes on-premises and cloud web applications. This is the most complex scenario and often used by organizations with 250+ seats. They are not only using Office 365 applications for single sign-on, but also for other Intranet and Internet applications to achieve SSO user experience.
  • Password Hash Sync (PHS): same sign-on, which means you must authenticate again with your on-premises credentials accessing Office 365 services.
  • Pass-through authentication (PTA): single sign-on, allows your users to sign in to Azure Active Directory directly validating the users’ passwords against your on-premises Active Directory.
  • Seamless single sign-on: single sign-on, automatically signs your users in when they are on their corporate devices connected to your corporate network. Can be combined with either PHS or PTA.

When should I use AD FS instead of other hybrid authentication methods?

Read more at the atwork blog.