For those who did not have request the automatic update or for enterprise consumers, Windows 10 is now available in MSDN
For those who have requested to get the automatic update – through the white Windows icon in the systray, start to check for updates on Windows Update
As you may know, you can synchronize your content store in SharePoint or SharePoint Online to your local client to keep it available while offline (thanks to the OneDrive for Business client).
With SharePoint Online, you can now restrict this feature to only domain joined client; this will help you to ensure sensitive data is not stored on non managed client.
To do so:
$cred = Get-Credential (save your SharePoint Online Admin credential in the $cred variable)
Connect-SPOService -Url https://<your Office 365 tenant name>-admin.sharepoint.com -credential $cred (connect to your SharePoint Online tenant with your saved credentials)
Set-SPOTenantSyncClient -Enable -DomainGuids "<replace with your AD GUID – multiple GUID must be separate by a comma>"
If you are not sure if there is any client synch restriction, or need to check which domain(s) is allowed (you will only get the GUID), you need to run the following command
To remove the overall restriction, run the following command and the TenantRestrictionEnabled must then be set to FALSE
Additional things to know:
Microsoft has released the new Skype for Business app for Windows Phone.
If you have already installed Lync 2013 Mobile client app for Windows Phone, this has been automatically (or should be) updated.
If not, try to force to update your installed app or download it from the Store https://www.windowsphone.com/en-us/store/app/skype-for-business/d85d8a57-0f61-4ff3-a0f4-444e131d8491
As part of the improvements:
As you may know, many of the administration tasks for Office 365 services have to be done using PowerShell.
Since June 30rd, Microsoft has released a new web site to assist you with Office 365 powershell commands.
This site contains lot of resources and script samples to help you
Go to http://powershell.office.com/
Want to be the first to see, test and use what will be coming with Skype for Business and Skype for Business Online??
Go to https://www.skypepreview.com/ to sign up for Skype Meeting Broadcast, PSTN Conferencing (US only at this time) and Cloud PBX with PSTN Calling (US only at this time too).
I have the great pleasure to announce that I have been renew for one more year as MVP on Office 365
One more year as part of this great program with lot of opportunity
Following my previous post about the upgrade process from DirSync to AAD Connect (which failed), I decided to go ahead and uninstall DirSync to do a fresh install of AAD Connect.
So let start a fresh install by accepting the license agreement
Then you have the choice to do an Express configuration – which synchronize identities, password and all attributes from the current directory (based on the domain membership of the server) – or do a Custom configuration which let you decide what do synchronize
For the next steps, I choose to do a custom configuration
With the custom configuration you can choose to use a SQL instance (instead of using the SQL Express provided with the tool), define custom installation location, define your own FIN groups
If you choose to define your the service account (used to start the service not to synchronize your directory – even if you can use it for both it is always recommended to use dedicated account for each task) you have to use the following format domain\useraccount – UPN format is not accepted
I choose to define my own service account (to run the synchronization service) and use a SQL instance
Then when you start the installation, the wizard installs additional prerequisites like the sign-in assistant
As I choose to use SQL instance, it also creates the ADSync database on SQL and grants appropriate permission for the service account I defined
NOTE i f you uninstall AAD Connect and where using an SQL instance, the ADSync database will be also deleted
At the next step, you can define which authentication methods you want to use between password synchronization, federation or nothing (meaning you need to define the user’s password on Azure AD/Office 365)
I choose Password Synchronization – I already have ADFS configured and in use, so want to check what will happen there
Then you have to enter your global administrator credentials – as always it is recommended to have setup a dedicated account on your tenant with complex password which never expires
Then it connects to the tenant, validates the credentials and the account role
At the next step you can select which On Premises AD Forest you want to synchronize – if you have only one, that’s easy, if you have more than one you can add them here; strangely you have to manually enter the other AD forest in the FOREST field while with beta/preview version you were able to select them directly using the drop-down menu
The account does not need anymore to be Enterprise Admin BUT need to have permission to manage user and groups objects
Then it checks your directory schema and validates if it meets the prerequisites for synching with Azure Active Directory
If you are going to synchronize multiple AD Forest, you have to define the way to uniquely identity each identity against each directory services
Then you can synchronize the entire directory or select filtering options based on AD groups – this option can be helpful if you are planning a pilot
Do not forget you will be still able to do filtering based on OU or attributes later using the FIM console
Finally you can choose to enable additional features like Exchange Hybrid configuration, password write back…
In my case I enabled Exchange Hybrid, password write back (which requires AAD Premium) and also the new (still in preview) user and group write back (will covers this later in this post)
Then once you have selected (and configured) the additional features, you can check which AD attributes will be synchronized – you can check them using a CSV export
You can even unselect some of them using the I want to further limit the attributes exported to Azure AD and then uncheck the attributes you want
NOTE you will not be able to uncheck mandatory attributes like userprincipalname, accountenabled…
That’s it, you are ready to finalize the configuration. I would recommend to uncheck the Start synchronization if you want to configure OU based filtering
Unchecking this option will disable the scheduled task. Don’t forget to enable it after having configured your OU based filtering
Also, you can enable the Staging option which will let you check what will be synched to Azure AD BUT will not export anything
This useful if you are planning a pilot or preparing the deployment of AAD Connect in parallel of other running instance (DirSync)
To start a manual synchronization, there is no more any PowerShell command but a command line tool - see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=661
With Azure AD Connect, the console which allows you to check the synchronization progress as well as to define OU based filtering is now located within the C:\Program Files\Microsoft Azure AD Sync\UIShell folder and you have to use miisclient.exe to start it
As usual you have to logoff after installing the tool to be able to use the console
Groups and Users Writeback is new with ADD Connect and allows you to create groups and users object on your On Premises Active Directory based on objects initially created on Azure Active Directory
If you enable this feature, you have to define where this “written back” group and user objects have to be created on your AD. AAD User will have a randomly generated password set your on AD, so you will have to reset to a known password after their creation.
Password write back is not available for these objects, meaning their cloud password is not synchronized back on your AD.
If the device writeback is disabled this may be because you need to prepare your AD forest. Also seems there is still some defect as this feature also comes with ADFS 3.0 and device registration; if you have setup ADFS 3.0 for device registration, you have nothing to do but the option is still unavailable
To prepare the forest, you need to run a PowerShell command prompt (still using Run As Administrator) and execute the AdSyncPrep.psm1 located within the default installation folder C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep. Also you need to execute this command with an Enterprise Admin account
Then you have to execute the following command to enable device writeback Initialize-ADSyncDeviceWriteBack
You will be asked to enter the domain to be prepared and the AD connector account – the one you defined when you connect to your On Premises AD services
NOTE seems there has been another change since the beta/preview builds as you have to reconfigure what you already have defined. This was not the case with the beta/preview builds
By default, AAD Connect now has bulk deletion prevention enabled BUT with a high threshold set to 500 objects; meaning of less than 500 objects are deleted on AD, this will be synched back to Azure AD.
If you want to either disable – run the following command Disable-ADSyncExportDeletionThreshold – or change the threshold value – run this command Enable-ADSyncExportDeletionThreshold, you then will be asked to enter your Azure AD credentials and the new threshold value (or use the complete command Enable-ADSyncExportDeletionThreshold –DeletionThreshold <value>
Following the announcement of the new AAD Connect (Azure Active Directory Connect), I decided to upgrade my DirSync instance (version 1.0.7020).
So the first thing is off course to get the AAD Connect tool either from http://go.microsoft.com/fwlink/?LinkId=615771
Then let start the upgrade….
Some details about my current DirSync configuration:
Also I'm using ADFS to authenticate against Office 365 and Microsoft Azure services.
As usual, always run as administrator – best it to use a command prompt with the run as administrator option
The setup immediately starts installing all required binaries before starting the configuration wizard
After the classic acknowledgment of the license, you can start configuring
The wizard has detected my DirSync instance and is checking to propose me the best upgrade option
And… it failed. The wizard told me that DirSync is configured with some options which can not be upgraded to Azure AD Connect.
So I checked the Learn more link to try to know which options are involved here but it clearly does not help
Then I checked the TEMP directory on my user profile to check if there is any log file and if so trying to get more details but there is log, no need to check the Windows Event log, there is nothing here too.
So the upgrade process ended by uninstalling DirSync and start a fresh install….
An update is currently being deployed on SharePoint which will allows IT administrator to restrict external sharing to be validated only by the original email which sent the invitation.
To enable this, you must connect to your SharePoint tenant using PowerShell and set the RequireAcceptingAccountMatchInvitedAccount to TRUE (by default this is set to FALSE)
To check if your tenant is already updated, run the Get-SPOTenant and check if the parameter is present or not
But stay tuned, more update is coming on SharePoint Online
You may be already aware – if not this now the case – every user on Office 365 has a profile page (different from the SharePoint Profile) accessible from the Gear\Office 365 Settings\Me menu. This page provide user details like your contact details or allows you to know more about the license assigned to your account
This page has been updated to deliver a nicer interface
This updated page is/will be available first to whom has the First Release enabled and in the few months to all other.
Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.
He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.
He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.
He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).
With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.
This blog is using tracking code for analytics purpose.
No personal data are stored and maintained.