Wednesday, March 28, 2012

Tier 1 Bpos to Office 365 Transition

I recently completed Ireland's first Tier 1 Bpos to Office 365 transition and would like to share the steps involved to achieve this.

My client was a global charity with their head quarters in Dublin and operating in 14 countries with 1400+ users spread over 90 locations and most with little or no it support.

As users were so dispersed throughout the globe the charity did not want to implement Single Sign On. One of the most critical requirements for the charity was the need to keep existing ost files on client machines. The reason for this is because some locations in Africa have poor Internet connectivity speeds and it could take weeks for the creation of a new Outlook profile to download and re-sync a local cached copy of a mailbox.So I confirmed with Microsoft that we could keep the existing OST's and they said we could. However the Office 365 Client Prereqs needed to be installed on each client machine prior to transition.

So I am going to bullet point in order the steps.

  • Engage with a Microsoft Office 365 transition manager

  • Remove Office Communicator prior to transition - this can be done running this command or a batch file MsiExec.exe /I{0F3AB690-1F39-40B8-9D4A-6E8DDA850FB0}/passive

  • Once that has been done install Microsoft Lync

  • Then install this UPDATE on all Client computers

  • Send out a communication to all staff stating that after transition they can access their web mail via and smart phones can access

  • One week before transition , setup Lync SRV Records for each domain as per Microsoft's GUIDE and internal firewall rules

  • One week prior to transition , reset user's passwords so that they comply with Office 365's password policy I did this very quickly and easily via Messageops powershell gui for Bpos

  • Then run the powershell below to ensure any mailboxes with delegated control preserve their custom permissions

Export Public Delegates

#$LiveCred = Get-Credential

#$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection

#Import-PSSession $Session
get-mailbox -filter {grantSendOnBehalfTo -ne $null} select userprincipalname, grantsendonbehalfto export-clixml delegates.xml

get-mailbox -filter {grantSendOnBehalfTo -ne $null} select userprincipalname, grantsendonbehalfto export-csv delegates.csv

Import Public Delegates
#$LiveCred = Get-Credential

#$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection

#Import-PSSession $Session
$logfile = "log-" + (get-date -uformat "%H%M-%Y%m%d") +".txt"
start-transcript $logfile
import-clixml delegates.xml foreach{
"User: " + $_.userprincipalname
foreach($i in $_.grantsendonbehalfto){
"GrantSendOnBehalfTo: " + $i
set-mailbox -identity $_.userprincipalname -grantsendonbehalfto @{Add=$i}



"number of mailboxes with grantSendOnBehalfTo : " + (get-mailbox -filter {grantSendOnBehalfTo -ne $null} ).count


  • During transition the external DNS records for autodiscover can be edited. So if you have a domain named you would create a CNAME record called and point it to

  • So once the transition has been complete, a user can still sign into the single sign in utility but Outlook will not be visible. The user can then open Outlook and will get a warning stating " An administrator has performed maintenance on your Outlook profile, Please restart outlook" So once the user restarts Outlook , the user will then be prompted for his/her user name and password.

  • Some Outlook clients may not want to connect to Office 365 via autodiscover and if that happens simply configure the Outlook profile via this website another great site from messageops.

  • Once Outlook can open and close without password prompts you can remove the single sign in utility by running this command MsiExec.exe /X{A91E3887-5185-4091-AF33-AB0048444055} /passive

  • I then wanted to chat to the charity's ICT manager so I enabled external federation by doing the following steps.

    Click "Manage" from Lync Online under Admin page
    If you are using E account, you will see current setting for Lync online for management page. If Domain federation or Public IM connectivity was disable under Current settings section, please enable them first.
    Click Domain federation: Select "Allow federation with all domains except those I block"
    Click Public IM: click "Enable" to active Public IM.
    After your enable federation, then you can see the External Access for particular user when editing setting

Ok so there are the technical steps and what is next for the charity. They were waiting for Office 365 before they did some customized development of Sharepoint online and now they can start this work. They absolutely love Lync and can easily communicate between 14 countries.Of the 1400+ users , there was an issue with 2 users , one in Dublin and one in Sudan!

My next blog post on Office 365 will be around the design and implementation of a ADFS 2.0 Farm which can tolerate one Active Directory site failure of a multi site Active Directory and still allow users to authenticate.


  1. This is a very good bullet point guide. Glad it worked out so well for you! We're doing a BPOS-to-O365 migration in June 2012.

    I will try your Export Public Delagates script to see if I know what *I* am doing.

  2. Awesome breakdown.

    When you imported your public delegates from the .csv and xml did you ever have weird issues where it was not able to find the server to connect to on the shared tenant space? Meaning you launch the remote PS session to get the exchange command-lets but even so it can't find the server?