Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Oct 21
SharePoint – SharePoint Mobile app is now available

It has been a long wait but a new SharePoint mobile app is now available for Windows Mobile 10, Android and iOS.

Download links:

Oct 11
Office 365 – Secure Score is now in preview

Security is a key point when moving / using a cloud service.

Microsoft has made (and still making) lot of investment to ensure data and account security and help customers to get the most of it.

A new step has just been done with the release in preview of Secure Score; a toolset integrated with Office 365 which is giving you an overview of your security level (like the credit score your bank is using to grant you loan)

To start using it and improve your security when/where needed and possible, go to

You will be prompted to allow the website to access some your data

Then you will get a first dashboard showing your current security score and additional actions to take to improve it


You also get a comparison of your current security score/level with the average in Office 365. In my case, I ‘m not so bad Smile


Then if you click on one of the recommended action, you will get an explanation with the risk(s) associated with the current setting


The Learn more button will provide you more details about the action to perform as well as a Launch now button which will redirect you were to either buy (if the option/feature is not available with your current subscription) or to configure the recommended setting


Oct 09
ADFS 4 – Enable device authentication method

With ADFS 4, you can easily enable device authentication as authentication method.

This authentication method was already available in ADFS 3 but only as additional authentication method; with ADFS 4 this becomes also available as primary authentication method.


Upgrade Active Directory Federation schema

This step is required if already have deployed a previous version of ADFS within your Active Directory and/or if your are not yet running Active Directory 2016 domain controllers (ie if your AD schema has not been upgraded to 2016)

  • Using a Windows Server 2016 installation media, run the following commands – adprep is available within the support\adprep directory in the installation media

adprep /forestprep




Raise ADFS functional level

This step is required if your ADFS 4 is deployed within an existing ADFS 3 farm; you can do it ONLY if no more ADFS 3 servers are running within the farm

See for ADFS upgrade procedure

Enable device authentication method

To continue with this step, you need to have Azure Active Directory PowerShell modules installed.

Using a PowerShell prompt, run the following commands

Initialize-ADDeviceRegistration and when prompted enter the ADFS service account


Then confirm the AD preparation


Once successfully completed, complete the configuration by running



Import the Azure AD module for device authentication and connect to you Azure tenant to create a connection point

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1”

$aadAdminCred = Get-Credential

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount <account used when connecting to your AD when configuration Azure AD Connect> -AzureADCredentials $aadAdminCred


NOTE you can find back the account you used by opening the Azure AD Connect synchronization console ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe") and accessing the “Connect to Active Directory Forest” section in the AD connector properties

Finally enable the device write back in your Azure AD and Azure AD Connect

Once completed, you can confirm the setup by opening ADSIEdit and connect to the Configuration\Services node; you should see

  • CN=Device Registration Configuration
  • CN=Device Registration Services under CN=Device Registration Configuration
  • CN=Device Registration Service DKM under CN=Device Registration Configuration
  • CN=<GUID> under CN=Device Registration Configuration – where the GUID is your Azure AD Connect connection point


Within the ADFS console, Enable device authentication at the Device Registration section and then enable the device authentication method


NOTE there is no more a Device Registration service in the Services console

Once Device Registration is enabled, you can also define the number of day before an inactive device is being removed from the ADFS console (Device Registration section)


Oct 07
ADFS 4 – Enable Azure MFA as authentication method and/or multi factor authentication for ADFS

One of the improvements with ADFS 4 (on Windows Server 2016) is the integration of Azure MFA as multi factor authentication method as well as primary authentication method; you can still use the certificate based or the Azure MFA Server (see for the multi factor methods.

If you want to enable Azure MFA with ADFS 4, you need to follow these steps:

  • generate a certificate for your Azure MFA tenant
  • use the certificate to add a credential
  • then enable Azure MFA as MFA authentication provider


Generate a certificate for your Azure MFA tenant

If you check the certificate store on your ADFS server you should see at least the certificate you are using to publish your ADFS, plus maybe certificates for the server itself


To generate the Azure MFA certificate tenant, open a PowerShell prompt and execute the following command

$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your Office 365/Azure tenant – like>


If you refresh the certificate store, you will see a new certificate issued by your tenant



Use the certificate to authenticate against Azure MFA

To use the certificate generated on step 1, you need to the certificate as a credential to Azure MFA Auth Client SPN.

To do so you need to be connected to Microsoft Online Services

Import the MSOL PowerShell modules (you need to have first installed the Windows Azure Active Directory Module) and connect to your tenant with the Connect-MSOLService

Import-Module MSOnline

$cred = get-credential

Connect-MSOLService -credential:$cred

$certX509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate


New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64

NOTE1 the value 981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client

NOTE2 you may find other documentation providing the same command with 2 additional parameters - -StartDate $certX509.GetEffectiveDateString() -EndDate $certX509.GetExpirationDateString(); these parameters usually generates errors


Complete the ADFS configuration

Still with the PowerShell prompt, execute the last 2 steps to enable Azure MFA

Set-AdfsAzureMfaTenant -TenantId <your Office 365/Azure tenant – like>-ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720 
Restart-Service adfssrv


The configuration is now complete, you don’t have any more the information message telling you you have additional steps to configure Azure MFA authentication in the Authentication Methods properties window


Et voila, Azure MFA is available is one of the authentication methods


Off course, this means your users have been registered to use Azure MFA

Oct 02
Windows Server 2016 – ADFS 4 idpinitiatedsignon is disabled by default

As you may know, a quick way to test your ADFS deployment is to access the idpinitiatedsignon sign page.

As usual, I tried it after deploying my new ADFS 4.0 server and… got this error message

The resource you are trying to access is not available. Contact your administrator for more information.


And the following event is logged

Log Name:      AD FS/Admin
Source:        AD FS
Date:          2/10/2016 7:22:24 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


So basically, this says the idpinitiatedsignon is disabled; which is quite annoying.

So, looking at the ADFS properties (Get-AdfsProperties | fl *idpinitiatedsignon*) for the page it shows indeed this is disabled


To solve it, just run Set-AdfsProperties -EnableIdpInitiatedSignonPage $true


Oct 01
Windows Server 2016 – ADFS 4.0 now support certificate authentication on port 443

You may already know that ADFS 3.0 (on Windows Server 2012 R2) already supports certificate authentication BUT using a different communication port than 443 (in fact 49443).

With ADFS 4.0 (on Windows Server 2016), the certificate authentication can now use the 443 communication port, making thing easier to implement multi factor authentication using user certificate.

To be take advantage of this new capability, you need to update your ADFS certificate to include the following hostname certauth.<your ADFS URL> – like if your ADFS URL is If the certificate does not include this additional hostname, ADFS Certificate Based Authentication will continue to use 49443 port.

Off course, you will have to publish this additional URL (certauth.<your ADFS URL>) on your firwall.

Also reminder you still need to include the enteprisregistration hostname too if you plan to enable Device Registration.

Sep 28
Office 365 – You can now see if OneDrive is provisioned for a user using the administration portal

You can now see if OneDrive for Business ‘personal’ space has been provisioned for user, including quota and size limits, from the Office 365 Administration portal.

Just logon to the Office 365 Administration portal with a global administrator account, go to the Users\Active Users and select the user you want to check. On the right pane, you will see a new OneDrive section with the provisioning details


Sep 28
Skype for Business / Office 365 – Troubleshoot your Skype for Business Hybrid configuration

As you know you can setup your On Premises Lync/Skype for Business deployment to work in hybrid mode with Skype for Business Online (as you can do with Exchange).

That said this configuration is not always as smooth and easy as it is for Exchange and you may ended with issues.

Knowing that Microsoft has developed a PowerShell script to help you troubleshoot such situation; even off course a single script may not be able to identify all issues, it will help you anyway as it covers the most frequent misconfiguration the support faced.

You can download it from\

You will need to have also the Skype for Business Online PowerShell module installed ( and run the script from a Lync/SfB front end server with an account granted with RTCUniversalServerAdmins and administration rights on the Skype for Business Online tenant (either Office 365 Global admin or Skype for Business administrator.

Sep 27
Office 365 – Preview of the new OneDrive for Business client

It has been announced at the Ignite Conference at Atlanta.

A preview of the new OneDrive for Business client is now available.

The following are part of the improvements coming with the new version – some have been long waited:

  • Ability to sync SharePoint Online document libraries – until then you were still obliged to use the ‘old’ O4B client while you were using the (so called) NextGen client to sync your personal OneDrive and your OneDrive for Business spaces (already included in the preview)
  • Activity center to have an activity view at glance (already included in the preview)

In addition of these client side updates, additional major updates for the web browser as well as the mobile client

  • 20 new file types supported for preview and rich thumbnails(rolling out by the end of this year)
  • Download multiple files at once (zipped) – finally Smile (rolling out by the end of this year)
  • Notification for the mobile client (already available – see

and many more to come.

So, let’s go back to the client side.

You can get the preview version here

You will need to download the new client ( and a registry key to activate the new capabilities (

You need to stop synching your libraries with the current client

Close your current client instances and start installing the new client and regkey


Once the setup is completed, close again the instance automatically started and activate the registry key; the following key and value are added


Start your client again (use OneDrive and not OneDrive for Business)


To start synching a SharePoint library, you need to connect to the library using the web browser and then choose Sync (as you did with the current version); there is not yet (?) the ability to setup the sync directly from the client


Then within your Windows Explore you should see something like <your tenant name> where your SharePoint libraries will be sync – you may still view the ‘SharePoint’ as it comes with the current version of O4B



Sep 26
Office 365 – Be notified when peoples are sharing content with you on SharePoint Online and OneDrive for Business

A new feature is being rolled out (first tenant and then general availability – expected to be completed by the end of the year) which will notify end-user by mobile push notification (same than the one you get when a new email arrived in your inbox) when someone is sharing content with them using SharePoint Online or OneDrive for Business.

This settings is enabled by default and can be managed by SharePoint Online administrators through the SharePoint Online administration center (within the Settings section)


1 - 10Next

 ‭(Hidden)‬ Blog Tools


Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.


​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data


Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010