Recipient Type Values on AD attribute

Both mailbox creation and deletion failure scenarios heavily involve verifying the current recipient type values across all directories – especially in a directory synchronized environment. For example; if a user is listed on-prem as a remote mailbox with a cloud archive, then you should expect EXO to have a primary and an archive mailbox for this user. If it doesn’t, then troubleshoot for a synchronization failure somewhere between on-prem and EXO.

The three attributes you will be dealing with are the following, and there are many possible values for each:

  1. msExchRemoteRecipientType
  2. msExchRecipientDisplayType
  3. msExchRecipientTypeDetails


Continue reading

[Case study] Conditional formatting on excel with customized “first day of the week”

Recently, we have a task to highlight the schedule in excel for last week and this week presenting with different color. However, the conditional formatting function come with Excel doesn’t not meeting our requirement. According to international standard ISO 8601, Monday is the first day of the week. It is followed by Tuesday, Wednesday, Thursday, Friday, and Saturday. Sunday is the 7th and last day of the week.

There is not option to customize the predefined function in conditional formatting, that’s said we need to DIY a new function with formatting rule. By using function WEEKNUM([DATE],2), we can get the actual week number of the [DATE] which comes with ISO8601 standard.

Therefore, using =WEEKNUM(A1,2)=WEEKNUM(TODAY(),2) can get the [DATE] result for this week; =WEEKNUM(A1,2)=WEEKNUM(TODAY(),2)-1 can get the [DATE] result for last week.

Assign O365 license by PowerShell

Assigning license to a group of O365 users are always the most headache task for administrators. So why don’t we script it? Let’s start!

First of all, check the license plan and usage of your company.

Connect-AzureAD #Connect to the tenant

Get-AzureADSubscribedSku | Select SkuPartNumber #Show account service plan and grep the SkuPartNumber (e.g, Microsoft 365 E3 = ENTERPRISEPACK, Microsoft 365 F1 = SPE_F1)

#Check SKU Service Plan detail option from the above output. Let's say if there are 22 SkuPartNumber in your service plan, you would like to select the 19th one, fill in 18 in the array of $license
$licenses = Get-AzureADSubscribedSku

Copy the output, so now you got all of the information of your account license that you want to add. The next step is define the service plan you would like to activate for the group of users. Create a csv file, define the license option (The output above); Friendly Name; Add License Option (True or False). Below are the example, we would like to enable Microsoft Search, Skype for Business, Office Online and Exchange Online but disable Microsoft Teams.

MICROSOFT_SEARCH;Microsoft Search;yes
TEAMS1;Microsoft Teams;no
MCOIMP;Skype for Business Online;yes
SHAREPOINTWAC;Office Online;yes
EXCHANGE_S_DESKLESS;Exchange Online Kiosk;yes

Create another csv and import the SMTP addresses that you would like to add the licenses.

[email protected]
[email protected]

Finally, the main PowerShell script.

# Powershell for license assignment                                                                                #
# Author: Wallace Ho                                                                                                     #
# Version: 1.0                                                                                                           #

$users = Import-Csv "C:\Users\wallaceho\Desktop\Licenses\users.csv" -Delimiter ";" # Define SMTP address CSV file path
$additionalOptions = Import-Csv "C:\Users\wallaceho\Desktop\Licenses\licenseplan.csv" -Delimiter ";" | ?{$_.addLicenseOption -eq "no"} #License path filter for disable option

foreach ($user in $users) #for each user in the SMTP address CSV file path
    $opts = New-MsolLicenseOptions -AccountSkuId "<accountid:serviceplan>" –DisabledPlans $additionalOptions.LicenseOption #Define disable option, remember to change the <accountid:serviceplan>
    Set-MsolUserLicense -UserPrincipalName $user.smtpAddress -RemoveLicenses <accountid:serviceplan>  #Remove old license, remember to change the <accountid:serviceplan>
    Set-MsolUserLicense -UserPrincipalName $user.smtpAddress -AddLicenses <accountid:serviceplan> -LicenseOptions $opts #Add new license, remember to change the <accountid:serviceplan>

HTTPS SSL on CloudFlare

Nowadays, many of the server hosts are using CloudFlare to speed up and secure their site, but how can you deploy the SSL certificate after your site being redirected to CloudFlare? Actually there are many ways to do that, some of the options are even for FREE!

Cloudflare SSL operates in different modes depending on the level of security required and the amount of configuration you’re willing to do. Traffic to the end user will always be encrypted, which means your website will always enjoy the benefits of HTTPS. However, traffic between Cloudflare and your origin server can be configured in a variety of ways.

Flexible SSL
Flexible SSL encrypts traffic from Cloudflare to end users of your website, but not from Cloudflare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.

Full SSL
Full SSL mode provides encryption from end users to Cloudflare and from Cloudflare to your origin server. This requires an SSL certificate on your origin server. In Full SSL mode, you have three options for certificates to install on your server: one issued by a Certificate Authority (Strict), one issued by Cloudflare (Origin CA), or a self signed certificate. It is recommended that you use a certificate obtained through Cloudflare Origin CA.

Origin CA
Origin CA uses a Cloudflare-issued SSL certificate instead of one issued by a Certificate Authority. This reduces much of the friction around configuring SSL on your origin server, while still securing traffic from your origin to Cloudflare. Instead of having your certificate signed by a CA, you can generate a signed certificate directly in the Cloudflare dashboard.

IT seminar – IBM cloud & AI; China Cyber security law

Recently I went to two quite interesting seminar and both are kind of a very hot topic.

The first one is discuss about the new China cyber security law. Nowadays, most of the registration in China needs to provide real personal information for real-name authentication. It is include but not limited to travelling buses,  Express Rail Link, Free Wi-Fi access, e-payment….. The one we are concerning for IT infrastructure is providing free Wi-Fi for guest. A real-name authentication and log system must be implemented. There are two real-name authentication method: 1. SMS, 2. Wechat authenticate. After the authentication, the system must also store at least 6 months logging including all access logs and DHCP logs that can be traceable. All log must be upload to the government system by daily. Therefore, if any guest use the public Wi-Fi to do any illegal things, the host of the service will not get into any trouble. Continue reading