Office 365 Hybrid Configuration Wizard does not run

You may find that when you run the Exchange Hybrid Configuration Wizard that it does not run. If you launch it from Exchange Admin Center, or from the Exchange Online Admin Center, it may just flash up and do nothing.

The solution is to change the file association for .application files to Internet Explorer. However, if you try in the Control Panel, you will find that this is impossible:

clip_image001

The solution is to do this using good old Windows Explorer.

  • Check you are viewing file extensions in Windows Explorer (View > File name extensions)
  • Right click in your Documents folder or somewhere, create a new file called test.application
  • Right click on it and choose Properties, and change the application to Internet Explorer

clip_image002

Now you should be able to run the application

clip_image003

Inviting external guests to Microsoft Teams

In order to allow users to invite external guests to collaborate in Teams, you may find you get an error: You are not authorised, when adding external guests.

clip_image001

This is because the Guest setting has to be enabled in two places, the first is to allow guests to use your Teams sites, and the second is to allow your users to invite external guests.

Enable Guest access to Teams

      • Go to the Office 365 Portal at https://portal.office.com
      • Click Settings > Services & add-ins > Microsoft Teams
      • Under Settings by user/license type, drop the list down and choose Guest
      • Then set the switch to On

clip_image002

Enable users to add guests in Azure AD

You also need to change this setting to enable users to invite guests if you have not set this up already. The alternative to this is adding guests as an Admin into Azure AD, after which they can be added by Team owners.

Bear in mind that this affects other services in Office 365 / Azure.

      • Go to the Azure Portal at https://portal.azure.com, then open the Azure Active Directory blade
      • Click Users under Manage
      • Click User Settings, and then Manage external collaboration settings:
      • Set Members can invite to Yes (you should generally set Guests can invite as No)

clip_image003

Now this is rather open by default, so we can then restrict the types of guests as follows:

Setting Collaboration restrictions

Now, choose how restrictive you want to be by setting the collaboration restrictions to one of the options:

    • Allow invitations to be sent to any domain
    • Deny invitations to the specified domain
    • Allow invitations only to the specified domain (recommended)

Securing B2B guest access in Office 365 / Azure AD

    If you integrate your Enterprise applications with Azure AD, you may want allow your users to invite external users in a secure manner, without enabling guest access to any other resources, or having to involve admins every time a guest needs to be added.

    Microsoft document how to allow your users to manage guest access here:

    https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b

    So there are 2 ways to do this, either you let Admins add your B2B users, or you can let your own users do this. This article focuses on the latter, enabling your users to add guests, whilst doing so in a secure manner. The Microsoft article above does not discuss how to securely enable guest access in the first place, so this is the focus of this post.

    Note that if you just want to control access to Teams, SharePoint, OneDrive and Office 365 groups, all of these are controlled separately and you don’t need to do follow this first section. See the end of this post for more detail.

    Securing guest access to applications

    As already mentioned, Admins can add guests to the directory, so if you want complete control of guest access then do not turn on the settings below. Once an admin has added a guest, users can then invite the guests to various resources as required.

    Steps to allow Guests to invite users to specific applications are documented here, I am going to assume you have done this:

    https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-information-worker

    However, these steps are not enough on their own, once you have allowed users to manage access to an individual application, you need to follow the steps below to complete the process. Note that these settings are tenant wide, so will also apply to other applications, and the domain restrictions will also apply to Teams or SharePoint, so bear that in mind before you start restricting guests to specific domains.

    Guest invitation settings

    If you want to allow collaboration without requiring the intervention of Admins, and want to enable guest access outside of Teams or SharePoint e.g. to B2B applications that you have integrated with Azure AD, you need to enable users to invite guests at the Tenant level:

    Enable users to add guests on the tenant

    • Go to the Office 365 Portal at https://portal.office.com
    • Settings -> Security & privacy -> Sharing
    • Click Edit and then allow users to add new guests

    clip_image001

    Enable users to add guests in Azure AD

    Note that the same setting can be accessed in Azure AD, so alternatively can be set here:

    • Go to the Azure Portal at https://portal.azure.com, then open the Azure Active Directory blade
    • Click Users under Manage
    • Click User Settings, and then Manage external collaboration settings:
    • Set Members can invite to Yes (you should generally set Guests can invite as No)

    clip_image002

    Now this is rather open by default, so we can then restrict the types of guests as follows:

    Setting Collaboration restrictions

    Now, choose how restrictive you want to be by setting the collaboration restrictions to one of the options:

    • Allow invitations to be sent to any domain
    • Deny invitations to the specified domain
    • Allow invitations only to the specified domain

    If you need users to be able to invite guests, you can use a whitelist to ensure that they can only invite users at from domains of your choosing. So you could add in the domains of your partners here, to ensure that users can collaborate with your partners, but not other external users.

    If possible, use the last option and enter the domains of your partners. Note that this will also affect other areas e.g. SharePoint and Teams, so you should add the domains of all of your partners here. Note that this setting will prevent even an Admin from adding a guest from an unauthorised domain directly to Azure AD, but if this is required you could briefly add a domain to the list.

    Users can then add guests using the Access Panel at myapps.microsoft.com, but only the domains which are allowed.

    Putting it all together

    clip_image003

    Now users can invite guests to the app that they have been assigned as an owner:

    clip_image004

    If another domain is tried, they will get an error:

    clip_image005

    This will also apply to Teams:

    clip_image006

    Restrict access to the Azure AD portal

    • Go to portal.azure.com
    • Click Users under Manage
    • Click User Settings
    • Under Administration porta, click Yes – Restrict access to Azure AD administration portal

    clip_image007

    If you do this then users will be unable to use Azure AD from the portal:

    clip_image008

    Other guest settings

    Teams

    If you only need to enable Guest access for Teams collaboration, you just need to go to portal.office.com, then Settings > Services & add-ins > Microsoft Teams > Settings by user/license type

    clip_image009

    SharePoint

    SharePoint and OneDrive guest access is also controlled separately in the SharePoint Admin center:

    clip_image010

    Office 365 Groups

    You may want to turn off the following switches under Admin Center > Home > Services & add-ins > Office 365 Groups:

    • Let group members outside the organization access group content
    • Let group owners add people outside the organization to groups

    clip_image011

How to obtain an Exchange Hybrid Edition product key for your on-premises Exchange 2007 or Exchange 2003 organization

This was previously at https://support.microsoft.com/en-us/help/2939261

The new Hybrid Wizard is here: https://blogs.technet.microsoft.com/exchange/2018/07/20/hybrid-configuration-wizard-and-licensing-of-your-on-premises-server-used-for-hybrid/

Note The Hybrid Configuration wizard that’s included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Office 365 HybridConfiguration wizard that’s available at http://aka.ms/HybridWizard. For more information, see Office 365 Hybrid Configuration wizard for Exchange 2010.

 

INTRODUCTION


If your on-premises Exchange organization is running Exchange 2007 or Exchange 2003, and if you want to connect your organization to Office 365 and your Exchange Online organization, you must install at least one on-premises Exchange 2013 or Exchange 2010 Service Pack 3 (SP3) server. This server is used for hybrid deployment connectivity that seamlessly connects your on-premises Exchange and ExchangeOnline organizations.

To avoid the additional cost of an Exchange 2013 or Exchange 2010 SP3 server license, you may qualify for a free Hybrid Edition product keyfor Exchange 2013 or Exchange 2010 SP3.

MORE INFORMATION


Obtain a Hybrid Edition product key

You can request a Hybrid Edition product key if all the following conditions apply to you:

  • You have an existing, non-trial, Office 365 subscription.
  • You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.
  • You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the HybridEdition product key.

To obtain a Hybrid Edition product key for your Exchange 2013 server or Exchange 2010 SP3 server, go to the Exchange hybrid productkey distribution wizard.

Note If the licensing tool does not work as expected, you can continue to receive Exchange licensing support at http://support.microsoft.com/ph/15834.

REFERENCES


Need help to set up your hybrid deployment? Access a customized, step-by-step hybrid deployment configuration checklist at the ExchangeServer Deployment Assistant.

Need more information about Exchange 2013-based hybrid deployments? See Exchange Server 2013 hybrid deployments.

Need more information about Exchange 2010-based hybrid deployments? See Exchange Server 2010 hybrid deployments.

For more information about features across Office 365 options for Exchange Online, see Exchange Online Service Description.

Securing Guest Access in Azure AD

Office 365 can enable new ways of collaborating with suppliers and business partners. However, it is important to understand the security implications of this, and you will probably want to lock this down initially.

By default, any user can invite external third parties into your Office 365 tenant, where they may have access your sensitive data. So in order to secure your data and applications, you should change the default settings.

External Collaboration Settings

By default, normal users can invite guest to Azure AD. So Members can invite should be turned off, and you should also turn off Guests can invite.

Note that users can still invite guests if an Admin has added them to Azure AD already. So if an Admin has added guests to Azure AD directly, they could then be added to any app by any user, so this should be avoided. To change the collaboration settings:

  • Navigate to https://portal.azure.com
  • Open Azure Active Directory
  • Click User Settings
  • Click Manage external collaboration settings, under External users at the bottom

Both bottom options below should be set to No:

Now you may still need guests to have access to individual apps. This can still be done either by Admins, or delegated to business users.

Inviting guests to your directory

  • You can invite guest users to the directory, to a group, or to an application.
  • The invited user’s account is added to Azure Active Directory (Azure AD), with a user type of Guest
  • The guest then has to redeem their invitation to gain access
  • You can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.

Inviting Guests to apps:

  • Either an admin can add guests to Azure AD, and then application owners can invite users to individual apps
  • Or, applications can be setup as self-service, so that application owners can add guests directly. This is the option we should use.

 

1. Add guest users to the Azure Active Directory (admin)

After a guest user has been added to the directory in Azure AD, an application owner can send the guest user a direct link to the app they want to share.

This is not normally a good idea, since the guests could then be added to other apps, even if collaboration settings have been disabled

2. Add guest users to an individual application (admin)

This could be done if you do not want business users themselves to be able to invite guests for any reason, i.e. you want absolute control.

  • Sign in to the Azure portal as an Azure AD administrator.
  • In the navigation pane, select Azure Active Directory.
  • Under Manage, select Enterprise applications > All applications.
  • Select the application to which you want to add guest users.
  • On the application’s dashboard, select Total Users to open the Users and groups pane.
  • Select Add user.
  • Under Add Assignment, select User and groups.

3. Business users adding guests to an application

First, the application has to be configured for self-service:

Then a group can be assigned as an owner as follows (see https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-information-worker#prerequisites for details):

  • Enable self-service group management for your tenant
  • Create a group to assign to the app and make the user an owner (note that the group has to be in AAD not on premise, since they need to able to manage group membership)
  • Configure the app for self-service and assign the group to the app

 

The users can then invite users to the app:

 

B2B Guest Inviter role

There is also a Guest Invitier role, however you generally don’t want to use this, since this will effectively allow them to invite anyone to anything the same as an Admin (as it says above, Admin and users in the guest inviter role can invite).

https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users-administrator