Tuesday, October 16, 2018

Syncing Calendars and Contacts to Office 365 tenant with large number of mailboxes using CiraSync

By Harpreet Singh Wasu

If you are a CiraSync customer and have more than 1000 user mailboxes in Exchange Online, you will notice that when a sync task is run, five mailboxes get updated simultaneously. Normally, a single Service Account is configured for CiraSync and it can take over one day to update 1000 mailboxes.

This post will help you to take necessary steps to speed up the sync process using Multiple Service accounts.

Sample Calculations
We will use an example where it takes five minutes to update an individual mailbox. If five mailboxes are updated at once, that means a mailbox is being synced almost once every one minute.

With that speed, CiraSync can update 600 mailboxes in 10 hours (Ten hours = 600 minutes) or 20 hours to update 1200 mailboxes.

If you are syncing a huge contact list to user mailboxes, it may even take 10 minutes to update a single mailbox. With five parallel updates, that would mean completing a sync once every two minutes.

What would happen if your tenant had 3000 licensed CiraSync users getting synced at the rate of 10 minutes per mailbox ?

For 3000 users getting synced at 10 minutes per mailbox, a rough calculation is that it takes 30,000 minutes (i.e. 500 hours). With Five threads (simultaneous updates) using one Service Account, the sync task will take about 100 hours or about 4 days to complete.

So, how can I speed this up?

By configuring CiraSync with Multiple Service accounts, you increase the number of parallel tasks in  multiples of five.

This simply means one Service Account is able to run Five EWS threads at the same time.  Thus, if you have four service accounts, a synchronization task will be able to run 20 threads at once.

Each thread updates one mailbox so you can have 20 simultaneous mailbox updates at one time.

Using the examples above, this could reduce the overall time of completion from 4 days to just one day.

Setting up a CiraSync tenant to be able to use Multiple Service accounts

The multiple service account feature is not enabled by default.

To enable your CiraSync tenant for multiple service accounts with Office 365, create a support request for this feature by sending an email to support at cirasync.com. 

You may already have a dedicated service account for CiraSync. Now you will need to create one or more Service Accounts for CiraSync.

To do this, follow the below steps. After each service account is created, you will use it to login to the CiraSync dashboard and grant consent to the CiraSync Azure Application and acquire token.

Each new service account will need the role of  'Application Impersonation' and Global Administrator. However, after the fist login, you can change the service account from Global Administrator to Service Administrator in Office 365.

Here is a step by step guide for it.

1. Login to your Office 365 portal as a Global Administrator and Navigate to Office 365 Admin Center by clicking on Admin.

2. Click on Users > Active Users

3. Click on Add a User. Fill in the required details - First Name, Display Name. We recommend you use a consistent service account Display name to identify each account.

Set a strong Password and make it a Global Administrator. If  you are syncing Public Folders, assign a License to the Service Account - any License that will have an Exchange Online plan is needed so a mailbox is created for the Service Account.

4. Once the new account is created, use a different browser. or use an IR/Edge In-Private window. In Google Chrome, use an Incognito window and navigate to https://dashboard.cirasync.com.

Login to the portal with the newly created Service Account.

5. In the screen snapshot shown below, you are initially entering as a Personal Edition User. You will need to click on Upgrade to Enterprise Edition to sign-in as Enterprise Edition user.

6. Give your consent by allowing the CiraSync to access your tenant using the new service account. At the prompt shown below, Permissions requested Accept for organization, click Accept.

7. Make this new identity a Service account in CiraSync. On the upper right corner, click on the username you are signed-in with and select Settings.

8. From the navigation pane on the left, select Service Account option as shown below.

9. Here you can view all the accounts from Office 365 that have been used to sign-in to CiraSync dashboard or have been added to be used as Service Account for CiraSync.

Check the boxes next to all the accounts you want to use as Service Account for CiraSync and click on Save.

10. Once you choose the Service accounts for Cirasync and Save the changes the screen will show you the selected service accounts and the Save button will show grayed out.

After you the service account is locked successfully, logout from CiraSync dashboard portal.

Following the above steps, you can add and lock multiple service accounts for CiraSync. Once you lock the required number of service accounts for CiraSync, you can change the role of these service accounts from Global Administrator to Service Administrator in Office 365.

Follow the below steps for it:

11. Login to your Office 365 portal as a Global Administrator and Navigate to Office 365 Admin Center by clicking on Admin.

12. Click on Users > Active Users

13. Select the account that has to be changed from Global Admin to Service Admin. Click on Edit next to Roles.

14. Click on Customized Administrator radio button and then check mark the box next to Service Administrator and click on Save.

Now that you have locked the Service accounts for CiraSync, don't forget to give Application Impersonation role to these service account.

For step by step instructions, check out our blog post for How to Set Impersonation Mode for GAL or Public Folder Sync to User Mailboxes

If you have any questions or feedback regarding this process and working, feel free to reach our excellent customer support team at support@cirasync.com

Wednesday, September 5, 2018

How to Set Impersonation Mode for GAL or Public Folder Sync to User Mailboxes

By Harpreet Singh Wasu

There are two types of permissions that you can give to a service account for GAL or Public Folder Sync to User Mailboxes.

The first way you can give the permissions is by Delegation and second is by Impersonation.

This Blog Post shows how to setup the Service Account for Impersonation mode in Office 365 (Exchange Online).

If your organization is Cloud-Only (All mailboxes are in Office 365)  you should use the below steps to grant Application Impersonation role to your mailbox.

If you are looking to find the steps to give the permissions using mailbox Delegation, navigate to Exchange Service Account Permissions and itrezzo Contact Management

How to setup App Impersonation for Office 365 and Exchange 2013/2016 

1. Log in to your Office 365 portal as a Global Administrator and Navigate to Office 365 Admin Center by clicking on Admin.

2. From the Office 365 Admin Center, expand the navigation bar on the left side and scroll to the bottom and expand Admin and then click on Exchange. You can also navigate to Exchange Admin Centre (EAC) through https://outlook.office365.com/ecp/

3. From the EAC, either Click on Permissions on the left-hand navigation and make sure you are under Admin Roles Tab at the top or Click on Admin Roles below Permissions on the Home page of EAC

4. Check if you already have a Role Group created with Application Impersonation Role. If not, create a New Role Group by clicking on the + sign.

5. In the New Role Group window, give a name for this New Role Group. For easy to remember, you can name is App Impersonation. Give any description of your choice in the Description Box. Click + on Roles. Select Application Impersonation and Click Add and OK.

6. Now Click on + sign below the Members, add the Service Account as the Member of this Role Group, click on Add and OK.

7. Once it’s done, click on Save in the New Role Group Window.

It can sometimes take several minutes (generally 30-60 minutes) or these changes to become active and get replicated across all the directories.

If you would like to enable App Impersonation via PowerShell, read the blog post How to Configure an Office 365 Hybrid Premise Service Account.

You can also refer to the Microsoft Article on How to Configure Application Impersonation using PowerShell.

Tuesday, April 10, 2018

How to create Dynamic DL's in Azure Active Directory

Vern Weitzman

Using On premise Exchange and Active Directory, almost any LDAP query can be turned into a Dynamic Distribution List.

Ironically, Active Directory on Azure has lobotimized LDAP. A very good substitute is available with Azure AD Premium.

If you are using itrezzo UCM, this post has a pretty good set of instructions on how to create a Dynamic Group for Office 365 usage.

The final step shows you how to create a contact collection. If you are a UCM user, you will want to finalize the process with an ECO Collection.

Tuesday, March 13, 2018

One Exchange Calendar synced between two different Exchange Servers

By Vern Weitzman

A Microsoft partner asked us for a specific Outlook calendar solution for an executive. The exec moved up the ranks to work part time at the HQ for a multinational conglomerate.  For the foreseeable future, she was going to be using a mailbox at both Organizations.

Her calendar was a different story.  Three people were going to continue managing her calendar. However, dozens needed view access at both organizations.

When there is literally a team of assistants that manage your calendar, It is likely filled for 12 months in advance with a full days schedule.  There are thousands of appointments and dozens of changes each day.

We have recently added an Outlook Calendar connector that can reach into remote Exchange Servers.  You create this like you create an ordinary Calendar Distribution List except that the source lives in a different Exchange Organization.

Create Remote Calendar Distribution List

Once you choose the Remote Exchange Calendar, you will be able to define the remote Exchange Server.

Note that the remote organization can be Exchange on-premise, or even an Office 365 tenant.

For more assistance, please contact itrezzo Support.

Monday, March 5, 2018

How to share contacts from two different Exchange Orgs

By Vern Weitzman

If you have ever had to share contacts from two different Exchange organizations on short notice, you might have tried something from the Exchange Managers handbook: Bi-nodal interorg PST transplant surgery.

Yes. I did just make that up.  My apologies if you started googling for the Exchange Managers Handbook.

However on many occasions I have worked with email administrators that have performed this annoying procedure. They export contacts to a PST. Email a zip file to a subsidiary.  Get told that it’s empty and have to repeat it again. You can email the zip file until Outlook is closed and you can send an email with Outlook closed. 

On the other side where it’s even more painful. It is a slow and boring procedure to open mailboxes, drag and drop contacts.

If you have to share contacts both ways, it’s twice as miserable. It is painful enough that it rarely gets done and the contact information gets stale quickly. When you want to do a refresh, you have to wipe everything out and start over. Just deleting several hundred contacts from a mailbox can take quite a few minutes. It also causes quite a bit of exchange server traffic as well smartphone resync traffic.

With itrezzo UCM on premise, (or Office 365), you can easily automate this procedure.  Updates are done automatically as often as you like and incremental changes at the source are incremental at the target so it’s quick and bandwidth efficient.
How to Share Outlook Contacts between two Orgs
In itrezzo UCM, there are two constructs for pushing contacts:

  • MCL’s - Mandatory Contacts Lists
  • CCL’s - Custom Contact Lists
If you are pushing contacts from the Global Address List, an MCL is the best method.  With an MCL, you can use mail enabled groups from from Active Directory to select the members of the  contact list you want to sync to your users.  If a user already has a contact for a coworker,  UCM will update that contact and start managing it as part of the contact list.  It’s the best way to avoid duplicate contacts.

However in the example described at the top of the post, the contacts from the remote HQ GAL are presumably not in the local GAL. Thus, the prescription here is for a CCL.

A CCL can be used in almost all other cases. You can sync Outlook contacts from public folders, mailboxes, a SQL database or even a CSV. The final option (which we will use in this example) is to connect to Public Folder or mailbox contacts on a remote Exchange server.

To sync a public folder from our parent organization, we will create a Custom Contact List as shown below.

Navigate to the Unified Contact Manager container. Now select Custom Contact Lists. In the top right corner on the black and white toolbar, choose From Remote Exchange...  

choosing a contact source for an Outlook contact folder

The Remote Exchange Dialog box is displayed:
Choose Mailbox or Public Folder. Than select your contact folder

We start by entering the name of the contact list (1). This name is used as a category on each target contact so want to keep the name precise and short.

The username (2) on the remote system does NOT need to have any particular domain or Exchange Server permissions. It is an ordinary mailbox that has REVIEWER permission on the source public folder.  In that way, the parent HQ doesn’t need to create a privileged account for use outside of their immediate IT organization.

In almost all cases, EWS (Exchange Web Services) is exposed at the same URL as OWA. We will need to put the fully qualified URL (3) with the suffix /EWS/Exchange.ASMX.

Next we select Public Folder (4) at the bottom.  If our credentials and URL endpoint are correct, we see the public folder hierarchy in the remote organization.  Now we navigate to the desired public folder and select it.

Next click on the Targets tab (7) and you will see the dialog as shown below.

Setup the target contact folder in Outlook

I typically recommend using a subfolder for external contacts (8).  All of the target users have iPhones and they will sync contact subfolders from their Exchange Mailbox.

A subfolder (9) will automatically be created in every target mailbox. Again, it is important to use a very precise name (9). Users will see this folder on both their desktop and smartphone.

We always recommend adding a category (10)  to each target contact. This makes it easier for users to see the contacts as a group.

The last and final step is to choose the target users (11) that will receive the contacts from the remote Exchange Server. We recommend that you use a collection to configure the targets.

Save the CCL and we now see contacts from remote Exchange Server in the grid.


We will also license all of the target users.

For a quick test, we will navigate to the User Statistics container and run UCM on a single user. After that completes, there will be a NY HQ subfolder in that user’s mailbox.

On the next scheduled UCM Task, all users will get the NY HQ contacts.

Sunday, June 26, 2016

How I got my head out of my SaaS and into the Azure Cloud

We have spun out a new company to better service Office 365 tenants that want to sync the GAL and Public Folders to smartphones. Here is the story.

Thursday, February 18, 2016

Set Impersonation Mode for GAL or Public Folder Sync to User Mailboxes

By Vern Weitzman

There are two types of permissions that you can give to a service account so that it can easily update contacts, appointments and sticky notes inside of users mailboxes. Delegation is the most common permission used for on-premise Exchange Servers. It allows granular permissions

This blog post shows the steps required to enable a user or service account to open mailboxes in impersonation mode on Office 365 Exchange.

  1. Log in to your Office 365 Management Console as a Global Administrator. Under the ADMIN menu, launch Exchange.

2) Next you will see the Exchange admin center.  Launch the admin roles menu beneath Permissions.

3) After you click admin roles, click the plus (+) symbol to add a new role. If another role already exists that has impersonation, you can just edit that role.

After you hit the plus (+) symbol to add a new role (or edit an existing one), the roles dialog appears.  If it’s a new role, type the name App Impersonation.

Add the service account under Members.   If you are using the cloud service and don’t have a service account yet, you should use grant the App Impersonation role to your mailbox (or to whatever mailbox that you used to set up the cloud service).

It can sometimes take several minutes for these changes to become active.

If you would like to enable App Impersonation via Powershell, read the blog post How to Configure an Office 365 Hybrid Premise Service Account.

Sunday, July 26, 2015

Sync the Office 365 GAL to Outlook

By Vern Weitzman

Sync the Office 365 GAL to iPhone, Android and Other Smartphones

You may already know that your iPhone and Android users will be much more productive if they have a cached copy of the GAL in their contacts.

If you are not familiar with the itrezzo Unified Contact Manager and want to sync the GAL,

Configuring itrezzo Contact Management with Azure AD
We recently worked with a customer that had 3000 mailboxes in their Office 365 GAL. The Unified Contact Manager, our unified contact management tool, was using Exchange Web Services and GAL sync was failing miserably.

We wanted to fall back to LDAP since they were running DirSync. Unfortunately, there were three different domains from different locations syncing into Office 365. Each of them had a unique copy of their local GAL. Office 365 had the only complete master copy of all GAL entries.

That is the point where we switched their GAL access type to Azure AD. Things worked perfectly after that.

If you want to Sync the Office 365 GAL to a smartphone, this post explains how and why you might need to use Azure AD.

Graph API

Office 365 Global Address List Types

The snapshot above shows three possible ways that the Unified Contact Manager can create a contact list using the GAL.

  1. If you have DirSync to on-premise AD, you can configure LDAP.
  2. The default method to sync the Office 365 GAL is Exchange Web Services (EWS).
  3. For an Office 365 GAL with more than a few hundred users, an ideal solution is to use Azure Active Directory. Microsoft provides access to Azure AD through the Graph API.

Setting up the Office 365 Tenant to use Azure AD

Using the Graph API connector does take a few extra steps.  The first requirement is to grant the itrezzo Unified Contact Manager permissions to use the Azure Active Directory. If you don't know how to do this, use the procedure detailed in this blog post.

This procedure has you save the Client ID and Tenant ID to the Notepad. You will need it below.

After Azure AD permissions are enabled, run the itrezzo Web Admin and open the Global Configuration Menu. Choose Global Address List.  Select Graph API and fill in your organization's information. An example is shown below.

Paste in the Client ID at the bottom of the Graph API settings.

The Tenant name should match the primary internet domain name.

You should also have the Tenant ID in Notepad. Paste it to the Graph API Tenant ID shown above.  

The login credentials for a Tenant Admin should be used. Typically the itrezzo Service mailbox might lack tenant admin permissions.

Once you have saved the new credentials, restart the itrezzo ECO Platform service.

Under Active Directory, you should now see the GAL as it appears in Outlook on Office 365.  
You may need to click the gear icon in the top right corner of the grid to get Active Directory to refresh.

You can also create a collection. When you try to search the GAL to add members to the collection, it will now use Azure AD.  If this fails, Azure AD is not properly configured.

To diagnose failures, open the logs for the current day of the week.  Scroll to the bottom of the ECO log.  It will have some errors messages. Look for the Azure error result. If you can’t resolve this on your own, feel free to contact itrezzo Support.