Powershell Script to Check if Office 365 Tenants (Partners) Are Using Outlook 2007 – Run Before October 31, 2017

UPDATE: Microsoft has softened their stance and are not going to cut-off Outlook 2007 connections. More info here.

Microsoft recently announced ‘RPC over HTTP reaches end of support in Office 365 on October 31, 2017‘. “MAPI over HTTP was not backported to Outlook 2007 or earlier versions. If you’re using Outlook 2007, you will be in an unsupported state on October 31, 2017. If you want to continue to access Exchange Online mailboxes through the Office 365 portal (portal.office.com), we recommend that you move to a current version of Outlook that is under mainstream support, or use Outlook on the web.”

This basically means if anyone is using Outlook 2007, they need to upgrade their Outlook to a newer version to continue using Outlook with Office 365.

Microsoft provided some Powershell scripts to help with checking your organization for Outlook 2007 connections. This is clearly documented in the section titled ‘How can I identify which Outlook version and build number my users are connecting with?‘ If you only have one organization to manage, these Powershell commands are your best bet.

But what about if you manage multiple organizations as a partner/delegated admin? Microsoft doesn’t offer a solution for this. Since we manage multiple Office 365 tenants and want our customers to get email on November 1st we wrote a little script to check all tenants for Outlook 2007 connections.

Show Auditing

The first step is to document who has auditing turned on or off. This way, you can return auditing back to the client’s preferred setting if necessary. Auditing is turned off by default in Office 365. For this, we wrote the function “ShowAuditing”.

function ShowAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"
        Get-Mailbox | Select-Object Identity, AuditEnabled, AuditOwner
        Get-PSSession | Remove-PSSession
    }
}

Enable Auditing

The next step is to enable auditing on every mailbox. For this, we wrote the function “EnableAuditing”. After enabling auditing you will have to wait a few days for users to connect to Office 365 and have their connections logged. Microsoft says auditing may take 24 hours to turn enable.

# Function to enable auditing on every mailbox on every domain.
function EnableAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        Get-Mailbox | Set-Mailbox -AuditOwner MailboxLogin -AuditEnabled $true
        Get-PSSession | Remove-PSSession
    }
}

Search Through All Tenants, Find Users Using Outlook 2007

At this point, you should have waiting 24 hours for auditing to turn on and 2-3 days for users to connect to Office 365 and have their connections logged in auditing. Finally, we can loop through each tenant and see who is using Outlook 2007. This will create a file called “UnsupportedOutlookConnections.csv” in the same folder you are running this script from.

# Function to check each partner managed domain for unsupported Outlook connections (2003 and 2007), dump to UnsupportedOutlookConnections.csv in current folder
function SearchOutlookUnsupported{
    # Create a new CSV/wipe out the old one
    Write-Host "" | export-csv .\UnsupportedOutlookConnections.csv

    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential     $UserCredential -Authentication Basic -AllowRedirection
       Import-PSSession $Session
        Write-Host "Session connect complete"
       # Dig through the audits and look for version 12.x
       # Outlook 2007 is 12.x - bad
       # Outlook 2010 is 14.x - good
       Get-Mailbox | Search-MailboxAuditLog -LogonTypes owner -ShowDetails | ? { $_.ClientInfoString -like "*Outlook 12*" } | select MailboxOwnerUPN,Operation,LogonType,LastAccessed,ClientInfoString | export-csv -Append .\UnsupportedOutlookConnections.csv
       Get-PSSession | Remove-PSSession
    }
}

The Full Script

Now that you have read through the code and have an understanding of what it will do – show you who has auditing turned on, enable auditing on all mailboxes, and check each mailbox to see if the user is connecting with Office 2007 – you can run it. We have run this on our clients without issue. CSSI provides no warranty. Run at your own risk.

# Office 365 Parter Outlook Unsupported Checker
#
# cssi.us
#
# By default this script does nothing but connect to MSOL. Go to the bottom of the script to uncomment appropriate lines.
# Microsoft says it can take up to 24 hours for auditing to be enabled. You should enable auditing and wait a few days so you can log the connections.

#### Functions ####
# Function to check if tenants have Auditing Enabled. Good for documenting before/after.
function ShowAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
       Import-PSSession $Session
       Write-Host "Session connect complete"
       Get-Mailbox | Select-Object Identity, AuditEnabled, AuditOwner
       Get-PSSession | Remove-PSSession
    }
}

# Function to enable auditing on every mailbox on every domain.
function EnableAuditing{
    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        Get-Mailbox | Set-Mailbox -AuditOwner MailboxLogin -AuditEnabled $true
        Get-PSSession | Remove-PSSession
    }
}

# Function to check each partner managed domain for unsupported Outlook connections (2003 and 2007), dump to UnsupportedOutlookConnections.csv in current folder
function SearchOutlookUnsupported{
    # Create a new CSV/wipe out the old one
    Write-Host "" | export-csv .\UnsupportedOutlookConnections.csv

    foreach($Domain in $Domains){
        # Connect to partner domain
        Write-Host "Connecting to $Domain"
        $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell-liveid?DelegatedOrg=$Domain -Credential $UserCredential -Authentication Basic -AllowRedirection
        Import-PSSession $Session
        Write-Host "Session connect complete"

        # Dig through the audits and look for version 12.x
        # Outlook 2007 is 12.x - bad
        # Outlook 2010 is 14.x - good
        Get-Mailbox | Search-MailboxAuditLog -LogonTypes owner -ShowDetails | ? { $_.ClientInfoString -like "*Outlook 12*" } | select MailboxOwnerUPN,Operation,LogonType,LastAccessed,ClientInfoString | export-csv -Append .\UnsupportedOutlookConnections.csv
        Get-PSSession | Remove-PSSession
        }
}

#### MAIN Procedure ####
# Connect to MSOL
Import-Module MSOnline
$UserCredential = Get-Credential
Connect-MsolService –Credential $UserCredential

# Get the list of partner managed clients
$Clients = (Get-MSOLPartnerContract)

# Get the default domain name from each client
$Domains = $Clients.defaultdomainname

# Uncomment the next line to show if users have auditing turned on or not (Suggested to do on day 1)
#ShowAuditing

# Uncomment the next line to enable Auditing on each client (Suggested to do on day 1)
#EnableAuditing

# Uncomment the next line to export multiple CSVs so you can see if there are any Outlook 2007 connections (Suggested to do on day 3+)
#SearchOutlookUnsupported

About

Tyler is a project manager and technician at CSSI. He specializes in server management, programming/scripting (python, bash, Powershell, and php). In his spare time he enjoys running ultramarathons and sipping craft beer. View Linkedin Profile

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Are you a robot? * Time limit is exhausted. Please reload CAPTCHA.