Connect a Shared Mailbox from O365 to Outlook via IMAP

I recently was asked how to connect a shared mailbox via IMAP to an Outlook client now this isn’t standard behavior or common practice as only a licensed user should access a mailbox. Now I know there are many resources online and suggestions out there but I am aiming to clear this one up using an Outlook 2016 client which does work with Office 365!

First of all create a shared mailbox, in this instance we are using Then give full permissions as you normally would for a licensed account in this instance

  1. Open up the profile manager on Outlook
  2. Add a new profile, and give it a name
  3. Select “connect to a different account” in the bottom right hand corner
  4. Select “Manual setup or additional server types
  5. Select POP or IMAP
  6. Fill out the following information
    • Your Name – What ever you want
    • Email address –
    • Account Type – IMAP
    • Incoming mail server –
    • Outgoing mail server –
    • User name –\
    • Password – The password for
    • Tick the box for remember password
    • Select the more settings button
    • Under the Outgoing Server tab select “My outgoing server (SMTP) requires authentication” and “Use same settings as my incoming mail server”
    • Select the Advanced tab
    • Under incoming server IMAP enter – 993 and SSL/TLS
    • Under Outgoing server (SMTP) enter – 587 and STARTTLS
    • Select Ok
  7. Then Next and the test should pass successfully and you are good to go.

Lepide Exchange Recovery Manager

Extracting Exchange Server mailboxes from backup files

Exchange Server backup files can prevent server downtime caused by Exchange Server database failures. If you are taking regular backups, your business output should not be drastically affected when the server fails. When devising your backup strategy, keep in mind the main requirements of your business, including cost, to ensure a smooth flow of operations.

Even if you are taking regular backups, sometimes a situation may arise wherein the solution you have adopted fails. In these situations, Exchange Server administrators have the option of utilizing third-party solutions such as, Lepide Exchange Recovery Manager which will enable you to quickly perform a complete recovery of the Exchange Server database. This blog will go over the steps you need to take to recover your mailboxes using this solution.

Lepide Exchange Recovery Manager

Lepide Exchange Recovery Manager can be used to extract full EDB files from existing backup files and to perform granular restoration of selected mailboxes and their content; including messages, contacts, attachments and other items. The solution supports the following backups: .BKF of Windows NT Backup, .BKF of Symantec Backup, .BKF of Veritas Backup, .fd of HP Backup and .CA ARCserve Backup.

Perform these steps is simple to recover mailboxes using Lepide Exchange Recovery Manager:

1. Browse and add the backup file to the solution. The following image shows the option for extracting different third-party backup files:


2. Once the backup file has been scanned, the solution gives a preview of the recoverable files. From this page you can select which files you want to extract. The left pane shows Storage Groups and the folders within them. In the right pane, EDB file and STM file within the mailbox store are displayed.


3. The recovered database files from the Exchange Server backup can be exported to extract its mailboxes. In the following image, the various options available for the recovered files have been shown. You can either export selected files or all files to the local disk.


Now the EDB file has been extracted from the backup, you can use the Exchange Management Console or Exchange Administrative Center to mount it to the Exchange Server. Bear in mind that you can only so this if it is not corrupted and the mailboxes in the extracted EDB file do not clash with the mailboxes in the already mounted EDB files.

If the extracted EDB file is un-mountable, or an old backup version is the currently mounted EDB file or if you simply want to restore just the selected emails, you can use Lepide Exchange Recovery Manager. The solution allows you to restore all mailboxes, or a selection of mailboxes, directly to the Live Exchange Server.

The following steps show you how to do this:

4. When you start the solution for the very first time, the “Add Source” wizard will be displayed. Simply select the option to add the EDB file as the Source and follow the onscreen instructions. Scanning the EDB files for errors and adding them to solution is a quick and easy process.

5. Once you have added the extracted EDB file, you can see a preview of the recovered mailbox items on the solution’s interface. You can then recover the entire EDB, selected mailboxes or selected content. The following image shows the different options for adding Exchange Server data files and Live Exchange Server to the solution and exporting them to PSTs. It also displays options for moving these files to the Live Exchange Server and to Office 365:


6. In the below image, a preview of the recovered mailboxes has been shown on the application’s interface. In the left pane, the recovered folders the mailbox is shown in the familiar Microsoft Outlook format. In the right pane, the recovered messages within the folders are displayed. These messages can be filtered, sorted and exported in any format.


7. Before exporting, messages these can be searched based on numerous criteria’s. The following image shows the different search criteria’s and the search results. Many types of data files can be searched together along with Live Exchange Server. The search result can be exported to numerous formats; including MSG and EML. Before exporting, you can see their preview and even extract their attachments.


8. Users get the following options in the search result. They can then open emails to view their content, export them as EML, MSG or PST, or import them to their Live Exchange Server and extract their attachments.

In Summary

Lepide Exchange Recovery Manager allows you to easily recover Exchange mailboxes from all kinds of Exchange Server database backup files, regardless of whether they are in a healthy or damaged state. The solution has an easy-to-understand interface that simplifies any data recovery and, when used correctly, should put an end to all difficulties you may face with extracting mailboxes from Exchange backup files.




OWA Attachment Controls in Office 365

A customer recently asked for the following settings I want to block users from downloading attachments in OWA (Outlook on the Web) but allow them to edit documents in Office Online.

Simple enough scenario or so I thought!

Looking at the GUI the only option you have under file access is “Direct file access” which allows full control and downloading of documents. Turning this off blocks all file attachments from editing, downloading or saving to OneDrive for Business.

Ok so lets look under the hood in PowerShell or owamailboxpolicy the options available to us that we want to look at are as follows:

DirectFileAccessOnPublicComputersEnabled Specifies left-click and other options available for attachments when the user has signed in to Outlook Web App from a computer outside of a private or corporate network. If this parameter is set to $true,Open and other options are available. If it’s set to $false, the Open option is disabled.
ForceWacViewingFirstOnPublicComputers Specifies whether a user who signed in to Outlook Web App from a computer outside of a private or corporate network can open an Office file directly without first viewing it as a webpage.


Specifies whether a user who has signed in to Outlook Web App can open a document directly without first viewing it as a webpage.


WacViewingOnPublicComputersEnabled Specifies whether a user who has signed into Outlook Web App from a computer outside of the corporate network can view supported Office files using Outlook Web App.


Specifies whether WebReady Document Viewing is enabled when the user has signed in from a computer outside of the corporate network.


*Although this commands appears if you run a set-owamailboxpolicy you CANNOT update the settings

Now the first item I will point out is how does Office 365 know what is public or private. Well the short answer is it doesn’t! Everything is private.

Well how can it….Well with some further digging you need ADFS deployed and a claim rule as follows as this will identify the location of the users.

Below I will describe how to configure the controls as requested.

First of all in PowerShell you need to run set-organizationconfig -publiccomputersdetectionenabled $true

Then within ADFS you need to do the following (This is based on ADFS 2.0 once carried out on ADFS 3.0 I will update):

  1. On the Start Screen, type AD FS Management, and then press Enter.
  2. In AD FS console tree, under AD FS\Trust Relationships > Relying Party Trusts and select O365 Identity Platform.
  3. In O365 Identity Platform, click Edit Claim Rules > Add Rule > Issuance Transform Rules.
  4. On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule from the list, and then click Next.
  5. On the Configure Rule page under Claim rule name type the display name for this rule.
  6. Under Custom rule, input the following:exists ([Type == ""]) => issue(Type = "", Value = "false");
  7. Next, input the following: NOT exists ([Type == ""]) => issue(Type = "", Value = "true");
  8. Click Finish.
  9. In the Edit Claim Rules dialog box, click OK to save the rule.

Then once you have set the above within your OWA Mailbox Policy set the following:

Set-OwaMailboxPolicy -identity MyOWAPolicy -DirectFileAccessOnPrivateComputersEnabled $false -ForceWacViewingFirstOnPrivateComputers $true -WacViewingOnPrivateComputersEnabled $true

Finally apply the policy to the user(s) this will apply to.

Now what the above configuration will do is stop users from downloading attachments and allow them to edit and view within a browser.

Now if you want to set the same policy’s externally as well you can follow the steps switching the commands for public to private and you must use ADFS.

Configure Lync/SfB with Office 365 for server to server authentication

Recently I was advised there were a lot of events being generated from a customers Lync server where they had recently migrated all their mailboxes to Office 365 but were using Enterprise Voice on premise. The event being generated was as follows:

Event ID – 32053 from the LS Storage Service – Storage Service had an EWS Autodiscovery failure.

I won’t past the whole error here but the crux of the error was as follows:

“ExchangeAutodiscoverException: code=ErrorEwsAutodiscover, reason=GetUserSettings failed,, Autodiscover Uri=, Autodiscover WebProxy=<NULL> —> Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The request was aborted: The request was canceled. —> System.Net.WebException: The request was aborted: The request was canceled. —> “

Now looking into this the Lync server could not create the connection to Office 365. I could see Autodiscover is working and the server could get a logon prompt if they hit the URL.

So I decided to check the OAuth Configuration – get-csoauthconfiguration and could see the URL for Exchange Autodiscover was set correctly however the clientauthorizationoauthserveridentity was still pointing at the hybrid exchange management server. So it lead me onto how do you setup an OAuth trust between a cloud service and on premise servers?

Well luckily enough help is at hand and I will try to guide you through the process…

First of all you must connect to PowerShell for the MSOL service in O365 and run the following get command:

  1. get-cstenant and then grab the displayname of your Office 365 tenancy.
  2. Fire up a Lync/SfB On Premise PowerShell Management Session – and then run the following command –
    New-CsOAuthServer microsoft.sts -MetadataUrl ""Displayname"/metadata/json/1" where "Displayname" is the name you got from step one
  3. Then run Get-CsPartnerApplication “” – If you get a result then carry out step 4 if not move onto 5
  4. Remove-cspartnerapplication “Microsoft.Exchange”
  5. New-CsPartnerApplication -Identity -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full -UseOAuthServer

Once this is complete you have configured Lync/SfB to use the Office 365 OAuth servers and you will start to see the following errors in the Event Log

Event ID 32054 – LS Storage Service – Storage Service had an OAuth authentication failure. CreateAppActAsToken failed, ex=OAuthConfigException: code=ErrorOAuthSts, reason=Recv RST response, failed, sts=, resource=00000002-0000-0ff1-ce00-000000000000/, ex=The remote server returned an error: (401) 

This s fine at this stage as we haven’t created the trust between on premise and Office 365 yet.

  1. Connect to Office 365 MSOL PowerShell whilst importing the following module : import-module MSOnlineExtended
  2. Run get-MSOLServicePrincipal – This will return lots of results but you are specifically after the one with the displayname “Microsoft Lync Server”
  3. Now at this stage I have made an assumption and that is that the OAuth certificate used by the Lync/SfB server on premise is up to date and is available to be exported. If not renewal this!
  4. Open up the MMC for certificates and identify the exact certificate currently assigned to Oauth for Lync/SfB this is generally an internal certificate. Export it as a X.509 Base64 (Which is not the default)
  5. Then run the following PS script where the line certificate.import contains the location of the exported certificate:
  6. $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
    $binaryValue = $certificate.GetRawCertData()
    $credentialsValue = [System.Convert]::ToBase64String($binaryValue)
  7. New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue -StartDate 02/12/2015 -EndDate 01/12/2015
  8. Now for the above command there are two items to be bear in mind first of all the startdate cannot be before today and the enddate can only be for a period of one year so even if the certificate lasts longer this setup can only last for a year!
  9. Get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 - The Returnkeyvalue is "Asymmetric"
  10. Then you should get a result with your certificate with the dates specified.
  11. Finally you need to set the set-cssoauthconfiguration -exchangeautodiscoverurl from https to http as currently https will not pass the tests and also flag up errors. This is done from the on premise Lync/SfB Management shell

Then you should be able to run test-csexstorageconnectivity -verbose and get a test passed result!

You should also see an event with ID 32048 where it states “OAuth was properly configured for Storage Service.

CsOAuthConfiguration validly configured”

Finally when you need to renew your setup which will be every year you will need to remove the MSOLServicePrincipal and replace it with your new certificate using the above process!


Modern Authentication using Azure MFA across Exchange and Lync/SfB Hybrid Options

Updated – 25/01/2017 – This article still generates a lot of questions so I thought best to update and clarify some of the comments.

As part of the work I have been doing on Modern Authentication I thought I would share a table which is useful to understand how the Office clients authenticate in a mixed hybrid environment. Note: currently SfB Online is NOT supported by ADAL (modern authentication) but once it is this will be the model. It is also now supported with SfB On-Premises but ONLY with SfB 2015 running at least the March 2016 updates. However the environment needs to be a pure on premises and NOT hybrid as this is still not supported. It should also be noted that if Exchange is wholly in O365 then you must also reference the following article to allow the fat clients to work.

I would also like to point out this article for further reference by Trevor Miller –

As well as this one –

Modern Authentication using MFA

Clients and Office 365 tenants enabled for OAuth/strong> Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises OAuth flows are supported against on-premises SfB 2015 only running March 2016 CU.

Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to both Exchange and Skype for Business servers.

What happens if MFA is enabled?

MFA challenges should be respected in this topology

What does this mean for the end user?

The MS statement is this currently still isn’t supported. –

Which authentication method will Skype for Business use?

The client will use OAuth against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.



What happens if MFA is enabled?

True MFA in Skype for Business (Azure MFA or Azure AD MFA)

What does this mean for the end user?

Currently I have no direction on what will happen with on premises Exchange but you would need to be running at least 2013.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego to connect to Skype for Business on-premises, and IDCRL to connect to Exchange Online.

What happens if MFA is enabled?

MFA challenges will not be respected in this topology.

What does this mean for the end user?

Modern Authentication will not work unless you run the regfix


Which authentication method will Skype for Business use?

The client will use OAuth against both Exchange and Skype for Business Online tenants.

What happens if MFA is enabled?True MFA in Skype for Business (Azure MFA or Azure AD MFA)


What does this mean for the end user?

Modern Authentication will  work if you are running a pure SfB Online with no hybrid or spilt domain

The main items to bear in mind here is that when using Lync/SfB on premise generally because of Enterprise Voice currently MFA will NOT be respected by the client.

Legacy Authentication using App Passwords with Azure MFA

Legacy Auth (IDCRL, using App Passwords) Skype for Business on-premises Skype for Business Online (Office 365)
Exchange On-premises N/A

On-premises server products do not support app passwords.

Which authentication method will Skype for Business use?

The client will use IDCRL against Skype for Business Online tenant, and NTLM/Kerb/Nego against Exchange on premises.

What happens if App Passwords are enabled?

App Passwords prompts will show up in Skype for Business.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business server and Exchange.

Exchange Online (Office 365) Which authentication method will Skype for Business use?

The client will use NTLM/Kerb/Nego against Skype for Business on premises tenant, and IDCRL against Exchange on premises.

What happens if App Passwords is enabled?

App Passwords in Skype for Business for connectivity to Exchange. We recommend users log in with app passwords first and then use their domain credentials if needed.

Prompting behavior

Users may see multiple prompts (for two different passwords) from Skype for Business client attempting to connect to Skype for Business and Exchange.


Which authentication method will Skype for Business use?

The client will use IDCRL against both Exchange and Skype for Business Online tenants.

What happens if App Passwords are enabled?

Users will have to use App Passwords instead of their domain passwords in Skype for Business.


Lync/SfB Unified Contact Store with Exchange

I came across some strange errors recently with a customer where the setup was as follows Lync/SfB on premise due to Enterprise Voice but had Exchange Online. Whereas the issues being seen were the OWA IM client wouldn’t sign in, on mobile devices the buddy list would not show at all and the mobile client would struggle to resolve names when you received an instant message. Upon further digging this was due to the Unified Contact Store that Lync 2013/SfB 2015 and Exchange 2013/16 use and share.

Now the following is the statement of support-ability from Microsoft referenced here:

Supported Lync/SfB Scenarios

Lync and Exchange integration features Outlook integration (EWS, MAPI) Outlook Web App integration (IM/P) Outlook Web App online meetings (scheduling) Unified Contact Store High-resolution contact photos
Skype for Business Online only Supported Supported Supported Supported Supported
Lync Server 2013 only Supported Supported Supported Not supported Supported
Lync Server 2013 hybrid deployment with Skype for Business Online Supported Supported Supported Supported* Supported

*Supported only for Skype for Business Online users in the hybrid deployment.

Now from this you will notice that UCS is not supported when you have Lync/SfB on premise and Exchange Online. Now I should point out at this stage that the UCS store was introduced in Exchange 2013/16 so if you migrated or are running Exchange 2013/16 this will affect you.

To resolve this there are a couple of options available:

  1. Disable the UCS store before you migrate to Exchange Online – As this will back up the contacts and you will not lose your buddy list. (I will discuss the commands later on)
  2. Migrate the users back to on premise and then disable UCS and migrate the user back to Exchange Online
  3. Force disabling the buddy list which will wipe out the contacts from the Lync/SfB Client, however if you have not re pointed your Exchange records to O365 this may allow the back of contacts – However in my scenario I was unable to test.

The PowerShell commands available to this are as follows:

  1. To disable UCS for the user – Invoke-CsUcsRollback -force -verbose
  2. To create a global policy to disable UCS the following command is available:
    1. Set-CsUserServicesPolicy -Identity global -UcsAllowed $False
  3. To create a policy for individuals you can carry out the following:
    1. Create a policy – New-CsUserServicesPolicy -Identity “DisableUnifiedContactStore” -UcsAllowed $false
    2. Then assign the policy to a user – Grant-CsUserServicesPolicy -Identity “ahandyblog” -PolicyName “DisableUnifiedContactStore”
  4. Alternatively you can block globally and allow some users to still user UCS if there mailbox is on premise which is as follows:
    1. Create a policy – New-CsUserServicesPolicy -Identity “EnableUnifiedContactStore” -UcsAllowed $true
    2. Then assign the policy to a user – Grant-CsUserServicesPolicy -Identity “ahandyblog” -PolicyName “EnabledUnifiedContactStore”

Once you have carried out the commands the mobile client and OWA IM should start to work immediately.

Office 365 Modern Authentication using ADAL

I have spent the last few weeks testing and trying the various setups with Azure MFA when using modern authentication using Office 2016 ProPlus and thought I would share my experiences.

In general the process is pretty slick and seamless to the end user the main areas of concern is the lack of public information on the matter. There are various discussion articles which are all linked below. However it should be made clear that although Office 2013 and 2016 can support modern authentication Office 365 is NOT fully supported and is still currently in a public preview.

The workloads supported are SharePoint Online, the Office 365 tenant, Intune, Azure AD, Exchange Online (limited support – Also note ActiveSync will still require App Passwords if Azure MFA is enforced). Most mobile applications Outlook/OneDrive/Outlook Groups/RMS Sharing/Intune Company Portal do support MFA however I have found the Delve application currently doesn’t

Unsupported Workloads – Skype for Business Online – However the Skype for Business client does support Modern Authentication, however when using Lync/SfB On premise the client struggles to establish connection as authentication fails to Exchange Online to pull information. However if you want to use SfB Online then you can continue with App Passwords if this is a required workload.

Although you can request via this page to turn on your tenant for Modern Authentication the PowerShell command is actually enabled for admins already which is:

set-organizationconfig -oauth2clientprofileEnabled $true to turn this off run the command again with $false

Now leaving this on does not affect client authentication if you are NOT enforcing Azure MFA this will only come into play when Azure MFA is turned on!

Now to the client Office 2013/16 supports modern authentication,  however when using 2013 you need to add the registry key that is detailed here – for Office 2016 you do not need the registry key although if you do put it on the machine it won’t harm the client

To setup Azure MFA the following article discusses how to do this for the users –

The last item to bear in mind is ADFS Client Access policies you must be running at least ADFS 3.0 however not all policies are supported as discussed here – and you should also ensure you have configured ADFS with the additional rule as discussed here –

Now the main rule that doesn’t work is “Block all External Access to O365 expect Browser Based apps”, currently this also doesn’t work and if you want to block client access you will need to do this via conditional access policies in Intune or Azure AD – However it should be noted you need to be running your schema level to at least 2012 R2 within your forest and their are a multitude of gotchas described in the article.

So overall this should hopefully give you some further food for thought and clarity on Modern Authentication using Azure MFA!

ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 3

In my previous posts we discussed the per-requisites and the installation of ATA in this post we will discuss the configuration.

Logon to your console navigate to ATA Gateways.

You should then see the gateway recently installed. You will then have a section for port mirrored domain controllers of which you will need to add one at a time all the DC’s that make up the organization. Then select the 2nd NIC which should be your port mirrored NIC to capture the traffic.

Once the initial sync has run which depending on the network can be quite quick you can then go and configure some further settings under the detection tab.


Explanations of these settings are below:

  • Short-term lease subnets are subnets in which the IP address assignment changes very rapidly – within seconds or minutes. For example, IP addresses used for your VPNs and Wi-Fi IP addresses. They must be entered with the slash notation format eg
  • Honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious. In general, they don’t necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.
  • The last two areas DNS Reconnaissance and Pass-The-Ticket exclusions are for IP’s that you want to exclude from ATA monitoring which may flag up any issues.

Click save and wait for the settings to replicate.

Next if you want ATA to send out mail alerts go to the Alerts tab and config the settings as required. ATA also fully works with Office 365 as long as you have a licensed account.

Finally you may want to ensure the product is licensed pop down to licensing and enter your product key.

Then wait for 30 days for ATA to get a good over view of your environment and look out for alerts! Now just to be clear this doesn’t mean ATA will wait 30 days before it finds anything suspicious it will alert instantly if anything is discovered.

ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 2

In my previous blog post I discussed the requirements for ATA in this post I will discuss how to install ATA.

First of all we must start with the ATA Center before we install the collectors the wizard is quite straight forward and will get you to the configuration page very quickly as shown below:

ata config

For most parts you can accept the default settings. For the certificates you have two options which are:

  • Self Signed certificate – If so tick the box and away you go
  • Internal certificate from a CA – Now this can be changed later to a public certificate or a certificate with multiple SANS. But by default the wizard will only create the certificate with a single name which is the servers hostname by default.

Click install and the installation should complete. Then click Launch to launch the console you will notice certificate errors as by default ATA uses the console IP address to create the shortcut on the desktop.

At this stage if you want to change the certificate this is the best time to do so.

Create your certificate with the additional names required (it must contain the server name as one of them) the SAN could be something like (also ensure you create an internal DNS A record that will resolve to the correct IP address).

Insert the certificate into the store locally on the server, then in bindings on IIS to change the certificate to your new one. Note that if the certificate does NOT have its private key IIS will throw up and error so ensure this is imported at the same time.

Restart IIS fire up the console with your name e.g. and you should be able to log in with your admin account without any warnings.

If you wish at this stage to create extra admins these can either be members of the local administrators group or the Microsoft Advanced Threat Analytics Administrators Group. Now because these are local groups you might want to create an AD group and nest this within the ATA Admins group to make it easier to manage.

mata console

If you have any problems getting to the console first of all ensure the service is up and running or consult the error logs at %programfiles%\Microsoft Advanced Threat Analytics\Center\Logs\Microsoft.Tri.Center-Errors.log

The next step is to configure and install the collector(s) or the ATA Gateway role. Once logged into the console navigate to Configuration and enter your service account that you created in the readiness steps as shown below. Then click Save

sA account mata

Now we need to download the ATA gateway setup from the console, but first of all logon to the server that will be the Gateway server and open up the ATA console. Navigate to Configuration again and click “Download ATA Gateway Setup”

Before you extract the files and run the installer ensure you have the following hotfix installed KB2919355 which you can check via PowerShell whilst running the following command:

get-hotfix -id kb2919355

Run the wizard until you get to the following page:


Select your installation path, as before you have two options for the certificate self signed or from an internal CA. Then the username and password of the service account we created in Part 1

This completes the installation. In the next part we will discuss the configuration of ATA in part 3.

ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 1

As some of you may be aware Microsoft Advanced Threat Analytic’s has just been released so I took the time to go through the RTM version and below is a step by step guide to getting the platform in place.

Before we start there are some pre-requisites that should be observed and understood. There are technically three roles within ATA which are:

  • ATA Center – The brain behind ATA
  • ATA Console – The admin front end portal
  • ATA Gateway – The collector of information

It should be noted at this time it is only supported to install this on premise and NOT within Azure. This is simply because it currently has not been tested by Microsoft. The servers can be either domain or work group joined depending on the environment.

The main challenge is the networking elements for port mirroring so depending on your environment the following are the main considerations which are supported port mirroring options:

ATA Gateway Domain Controller Considerations
Virtual Virtual on same host The virtual switch needs to support port mirroring.
Moving one of the virtual machines to another host by itself may break the port mirroring.
Virtual Virtual on different hosts Make sure your virtual switch supports this scenario.
Virtual Physical Requires a dedicated network adapter otherwise ATA will see all of the traffic coming in and out of the host, even the traffic it sends to the ATA Center.
Physical Virtual Make sure your virtual switch supports this scenario – and port mirroring configuration on your physical switches based on the scenario:
If the virtual host is on the same physical switch, you will need to configure a switch level span.
If the virtual host is on a different switch, you will need to configure RSPAN or ERSPAN*.
Physical Physical on the same switch Physical switch must support SPAN/Port Mirroring.
Physical Physical on a different switch Requires physical switches to support RSPAN or ERSPAN*.

*ERSPAN is only supported when decapsulation is performed before the traffic is analyzed by ATA.

I will come back to the importance of port mirroring shortly.

For the ATA Center Sizing below is the guidance provided by Microsoft. Note the ATA Center includes both the Center and the Console roles of which cannot be split and this is local storage as the Database cannot be on another server.

Packets per second* CPU (cores**) Memory (GB) OS Storage (GB) Database storage per day (GB) Database storage per month (GB)
1,000 4 48 200 1.5 45
10,000 4 48 200 15 450
40,000 8 64 200 60 1,800
100,000 12 96 200 150 4,500
200,000 16 128 200 300 9,000

This server should also have a single NIC with two IP addresses, it is possible to configure the service with one IP address although this is not recommended.

The ATA Gateway has the following hardware. For this server it should be noted that two NIC’s are required and the second NIC should be attached to the same switch as the domain controllers that it is monitoring, following the guidance regarding port mirroring above.

Packets-per-second* CPU (cores**) Memory OS Storage (GB)
10,000 4 12 80
20,000 8 24 100
40,000 16 64 200

*Total daily average number of packets per-second from all domain controllers being monitored

**This includes physical cores, not hyper-threaded cores.

Once you have all of this you will also need to create a service account as a standard user as this will be used by the ATA center to gather information on AD users.

The final note is that both ATA servers cannot be out of time sync by more than 5 minutes of each other.

In part 2 I will go through the installation in more detail.