Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Jul 26
Skype for Business – Getting MAPI unavailable message after switching to UCS

If you have configured you Skype for Business infrastructure to use UCS (Unified Contact Store) or if you have requested to get it enabled on Office 365 (yes, you do not have UCS activated by default on Office 365 and you need to open a SR to get it), you may face the following issue.

With Skype for Business client, you may have some notification

  • When displaying the Configuration Information
  • image

MAPI Information;Your Outlook profile is not configured correctly. Contact your support team with this information.;MAPI unavailable;
EWS Information;;EWS Status OK;   
image 

  • Delegate functionality may be broken

If so, there is 2 plan: 1 simple, 1 a little bit more complex

 

Simple Plan – Deploy the July 5th 2016 fix

This is very simple, just download and deploy the fix from

However this may not work, especially if you have Office 2013/Office 2016 Click To Run installation. The fix will not detect any product for which the fix must be applied.

You can try to force your Click To Run install to get updated but it seems the fix is not yet available neither (I did and the issue was not solved)

So, let’s take a look at the more complex action

More Complex – Registry fix

Launch the registry editor (regedit) and browse to the following key

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles and open your default profile

Then locate the subkey named 9375CFF0413111d3B88A00104B2A6676

Open the subkey and check each of the key until you found the one with your email address shown in the Account Name value

imageimage 

Take the value from the Service UID and then locate the subkey with the same value below the Profiles tree – like in this example the Service UID value is 980e871e9d8a8644b50ddd6c2c583715, the subkay to locate will be HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\980e871e9d8a8644b50ddd6c2c583715

Take the value from the 01023d0d binary value and repeat the same search

image 

In this example, the value is 2c5e812328c4cb42bfbd2be3d360e7b3 so the subkey to search is HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\2c5e812328c4cb42bfbd2be3d360e7b3

There you need to create a new String value named 001e6603

image 

Edit this new string value with the value of your mailbox LegacyDN – you can get the LegacyDN with the Test e-mail autoconfiguration from Outlook from the XML tab

image 

Close your Sfb/Lync client and restart it. You should now get

UCS Connectivity State;Exchange connection Active;--;
MAPI Information;MAPI Status OK;MAPI Status OK;

image 

Jul 26
Microsoft Authenticator – New version coming up on August 15th

A new version of the Microsoft Authenticator is coming on August 15th.

As you may know, there has been multiple and different apps to manage MFA (Multi Factor Authentication) from Microsoft: one for Microsoft Account and one for Microsoft Corporate Account (Azure AD, Office 365…)

on August 15th, this will not be the case anymore; both account types will be supported with this new Authenticator app (finally Smile)

In addition of this consolidation, you will also get the app available on wearable devices (like Apple Watch), support for finger prints (on iPhone and Android devices) or certificate based authentication support

Stay tuned

Jul 22
Azure – Azure AD Connect Health for domain controllers

Microsoft has just released the preview for Azure AD Connect Health for Windows Servers AD. This feature is similar to the health agent used with Azure AD Connect to monitor the health of your directory synchronization instance with Azure AD and your ADFS but for On Premises Active Directory Domain Controllers.

To be able to take advantage of this new feature you need to have an Azure AD premium and download/install the new agent from http://go.microsoft.com/fwlink/?LinkID=820540

Setup the Azure Connect Health Agent for DC

Once you have downloaded the agent, you need to install it on all of your domain controllers.

This is a pretty straight forward installation.

NOTE the agent can be installed on domain controllers running Windows Server 2008 R2, 2012 and 2012 R2

Important point, there is no server restart.

Run the agent setup

image

Follow the wizard to install the agent

imageimageimage

Once the setup is complete, you need to configure the agent which is basically an automated process to register the agent and define the account to be used to connect to AD Connect Health

imageimageimageimage

That’s it, the agent in now installed and will start gathering monitoring data.

You can check if the following services have been installed and are in a running state

  • AzureADConnectHealthAddsInsights
  • AzureADConnectHealthAddsMonitor

image

View Reports

Connect to your Azure portal (https://portal.azure.com/) and access the Azure AD Connect Health dashboard

image

Then look for Active Directory Domain Services dashboard; you will see the forest(s) monitored and the number of agent deployed

image

Once enough data will be gathered you will have an insight of your On Premises AD health, including authentication requests, replication state…

imageimageimage

Jul 09
Security – Error after upgrading Multi Factor Authentication Server to version 7

If you are already using Microsoft Azure MFA with the on premises solution (Multi Factor Authentication Server) and want (or have already) to upgrade to the latest version (which is version 7.0.2 at the time of writing this post), you may experience the following error if you have integrated with ADFS (especially when you restart your ADFS services) after you have upgraded your ADFS connector.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          7/9/2016 10:55:08 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:         
Computer:     
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy device TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly 'MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

This is because the resource has been renamed

To solve the issue, you need to unregistered the previous version of the ADFS connector and then register the new one.

Disable MFA in ADFS

If you already have integrated MFA with your ADFS, this means you are using it (or should Smile)

Before unregistering the “old” version, you need to disable it from your ADFS console, Authentication Policies

image

Unregister the previous version

Open a PowerShell prompt and run the following command

Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication

If you did not disable the connector from ADFS first, you will get this error

image

Unregister-AdfsAuthenticationProvider : PS0099: The specified authentication provider cannot be removed from the
policy store.  The provider is currently specified in the additional authentication providers list. Remove the
provider from the additional authentication providers list.
At line:1 char:1
+ Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthenticatio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Unregister-AdfsAuthenticationProvider], ArgumentException
    + FullyQualifiedErrorId : PS0099: The specified authentication provider cannot be removed from the policy store.
   The provider is currently specified in the additional authentication providers list. Remove the provider from the
  additional authentication providers list.,Microsoft.IdentityServer.Management.Commands.RemoveExternalAuthProviderC
  ommand

Once completed, restart the ADFS service

image

Register the new version

Run the PowerShell script provided with MFA to register the new version; the script is located in the C:\Program Files\Multi-Factor Authentication Server folder and is called Register-MultiFactorAuthenticationAdfsAdapter.ps1

image

Once completed, restart again your ADFS services

Re enable the connector

Re open you ADFS console and browse to the Authentication Policies to re enable the connector; you will notice the name has been changed to Azure Multi-Factor Authentication Server

image 

Jul 06
Azure / Office 365 – Conditional Access is now available in preview

Azure AD Conditional Access policies for Office 365 (Exchange and SharePoint Online) is now available in preview; additional services may be supported (see at the end of this post).

This will make it easier to request multi-factor authentication when accessing Office 365 services. Until then, either you had to manage it at the ADFS level if you were using federated authentication or you were not able to define such conditional access if you were using Office 365 authentication.

Requirements

Before setting up Azure AD Conditional Access policies you need to ensure that your devices will be supported:

Setup Conditional Access Policies (Cloud Authentication)

Logon to your Azure administration portal (“old” version) using your Office 365 admin account (or Azure AD admin account) - https://manage.windowsazure.com

Access your Office 365 directory and open the Applications tab

image

Select Office 365 Exchange Online

image

Then open the Configure options

image

Active the Multi Factor Authentication and Location Based Access Rules

image

And define your requirements

image

Repeat with Office 365 SharePoint Online

You can also configure Yammer, Visual Studio Online, Office 365 Customer Success Center, CRM Online, Azure RemoteApp, Azure OMS

Jul 06
Windows 10 – Windows Store for Business

As you know, since Windows 8.x Microsoft has introduced the App Store, which is mainly used with your Microsoft Account.

It has been fairly complicated so far to have an efficient way for enterprises to be able to manage their own App Store. This now possible and quite frankly, it is not so bad Smile

Create and Configure your Corporate App Store

First thing is you need to login to https://businessstore.microsoft.com and sign in with an Office 365 or Azure AD Admin account

image

Configure the MDM to use

Then you need to setup your store using the Settings\Management Tools to define which tool will be used to push application using a mobile device management

image

Click on Add a management tool and search for the management tool you want to use – NOTE the tool must have been listed/configured on your Azure AD; for the purpose of this post I’m adding Office 365 (which includes a MDM) and Intune.

You can only have one MDM activated and used to push application

imageimageimage

Once you have added the MDM you want to use, just Activate it

image

Delegate Access

Using the Settings\Permissions option you can delegate access to the store and delegate the administration and/or application purchase. Off course, by default the account you used to create your store has full administration permissions, including buying apps

imageimage

Search the user(s) you want to delegate access to your corporate store and assign the permission; the search is using your Azure AD, so if you are synching from your On Premises Active Directory ensure the account you are looking for is synched

  • Global Administrator - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business, and assign Store for Business roles to other employees.
  • User Administrator - IT Pros with this account can assign Store for Business roles to other employees, as long as the User Administrator also has the Store for Business Admin role.
  • Billing Administrator - IT Pros with this account have the same permissions as the Store for Business Purchaser role

 

Application Inventory

Using the Manage\Inventory menu you can review the application available through your corporate store.

image

As you just have created your store, the inventory is empty. As soon as you will add applications, you will be able to manage apps from there.

 

Add Application to Your Store

This where improvements should take place. The shop is not providing the same experience than the one for consumer.

The Shop main page is just showing few featured application but does not provide a way to browse the store. You need to search for the application you want to add to your store.

image

Using the search box, look for the application you want to deploy; if there is multiple results, you will be able to refine to Mobile or PC applications, Category…

image

Click on the application you want to buy

image

Then select Get the app. Depending of the application, you may have to choose between Online or Offline license

image

Then you got a confirmation that the app has been purchased and is now available on your inventory. NOTE at this stage the app is NOT available on your corporate store

image

Once the app has been purchased, click on the Add to private store button – NOTE this action is also available from the Inventory

It will take up to 24 hours to get the application available on your store

imageimage

image

 

Assign Application to Users

Once you have purchased and added applications onto your store, you can either let the users to choose to install it or assign it.

You can assign application either immediately after you have added the app onto your store or from the inventory

NOTE if you just have added the application to your store, the application will be available as soon as the status in the inventory will be In Private Store

imageimage

When you assign an application, the use will receive a notification email

image

 

Install Applications from Your Private Store

Open the Store application and click on your account on the top right side, just before the search box

image

This open a new pop up showing your Microsoft Account and allowing you to add an account

image

Click Add account and select Work or school account and sign in with your corporate account

image

Once you have signed in/added your corporate account, the corporate store will be displayed in the top bar and if you hit it, this will display the applications available in your private store

image

image

If you are already signed in using your corporate credentials (Azure AD Joined device), the private store is already available.

Jul 02
Office 365 / Exchange Online – You can now define the attachment types you want to block

An update on Exchange Online is now allowing administrators to define attachment types policy to define what they want to block or authorize.

To update your configuration, open your Exchange Online ECP (https://outlook.office365.com/ecp/) and go to the the Protection section to access the Malware filter options.

Then either edit the exiting policies or create a new one – the following screenshot has been taken while editing the default policy – and look for the Common Attachment Types Filter option available below the Settings (default is set to Off)

image 

When you create a new policy, this option is immediately available for configuration during the policy creation process and the default setting is On

image 

Jun 26
Microsoft Azure – Enterprise State Roaming in public preview

As you may already know, since Windows 8.x, user settings can synch to OneDrive (consumer) allowing end-users to sync their settings and universal apps data across different devices when they logon with their Microsoft account.

Now, this settings is also available in public preview for enterprise users using Windows 10 (at least build 10586) and Azure Active Directory Premium.

The devices must be either AD domain joined with automatic registration to Azure AD or Azure AD AD joined.

To take advantage of this feature, you must first enable it on you Azure AD (from the ‘old’ portal - https://manage.windowsazure.com) through the Configure tab

image

Then scroll down to the Devices section and configure the Users may sync settings and enterprise app data section

image

Then you must sign in with your corporate account on your Windows 10 device and manage the sync settings using the Settings\Accounts\Sync your settings to select which settings you want to sync; if you see your Microsoft account, then you are still synching with your OneDrive consumer, not with your Azure AD

image 

Jun 26
Office 365 – Admin mobile app is updated

The administration mobile app for Office 365 has been updated (or will be within the next few weeks for iOS)

This new version provides a new UI, simpler to use, plus new functionalities like resetting password (if you are not using ADFS or if you are using AADConnect with Password synch and password write-back), having the same admin features as with the new Office 365 admin portal.

If you already have installed the app, this should have been automatically updated (depending of your App Store configuration) or go there to get it https://aka.ms/office365adminapp

wp_ss_20160626_0001wp_ss_20160626_0002wp_ss_20160626_0003wp_ss_20160626_0004wp_ss_20160626_0005

Jun 26
Office 365 / Skype for Business – Get usage data using PowerShell

Skype for Business Online has been updated to provide usage data using PowerShell.

If you want to get usage data, you need to have the Skype for Business Online PowerShell modules installed (https://www.microsoft.com/en-us/download/details.aspx?id=39366)

Then you need to connect to your tenant and use the Get-CsUserSession cmdlet

Connect to your tenant – NOTE if your are in hybrid mode with your On Premises Lync/Skype for Business environment you need to use an online account (@yourtenant.onmicrosoft) or you may get an error

$cred = Get-Credential

$session = New-CsOnlineSession -Credential $cred

Import-PSSession $session

Then run the command to get usage data – this example provides usage data from April 1st 2016

Get-CsUserSession –User <Skype User Logon> -StartTime "04/01/2016 00:00:00 AM"

Sample report which provides the client used, the logon time, activities….

RunspaceId            : 0837d992-ecac-4f5a-a6dc-d22623b2dc16
DialogId              : <PII:H101(pkyUuftLwpYy+0HIHUX39Lc/2EQuvKPNaEicEsGL2OU=)>@<domain>_9FEB17DE-0F16-5267-86
                        1D-B0DCA0659C12_071e321f-00f0-457f-884f-4f70c4df8ca1
ReplacesDialogId      :
StartTime             : 6/25/2016 4:01:46 PM
EndTime               :
FromUri               : <Skype User Logon>
ToUri                 : <Skype User Logon>
FromClientVersion     : UCCAPI/16.0.6965.5266 OC/16.0.6965.2053 (Skype for Business)
ToClientVersion       : RTC/7.0
FromTelNumber         :
ToTelNumber           :
ToEndpointId          :
FromEndpointId        : 9FEB17DE-0F16-5267-861D-B0DCA0659C12
ConferenceUrl         :
ConfInstance          :
OnBehalfOfUri         :
ReferredByUri         :
ResponseCode          :
MediaTypesDescription : [RegisterEvent]
ErrorReports          :
QoEReport             :

1 - 10Next

 ‭(Hidden)‬ Blog Tools

 Copyright

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010