Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Jul 29
Windows 10 – Now available for download in MSDN

For those who did not have request the automatic update or for enterprise consumers, Windows 10 is now available in MSDN


For those who have requested to get the automatic update – through the white Windows icon in the systray, start to check for updates on Windows Update


Jul 19
Office 365 / SharePoint Online – Restrict file synchronization from domain joined only

As you may know, you can synchronize your content store in SharePoint or SharePoint Online to your local client to keep it available while offline (thanks to the OneDrive for Business client).

With SharePoint Online, you can now restrict this feature to only domain joined client; this will help you to ensure sensitive data is not stored on non managed client.

To do so:

Get the Active Directory Domain GUID

  • First you need to gather the domain GUID for which you want to allow the synchronization feature
    • This GUID is the one for your Active Directory domain(s)
    • If you know you have multiple AD domain, you must first run the following PowerShell command to get all domains (Get-ADForest).Domains
    • Then you have to run the following command to get the GUID for each domain $domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -Identity $d | Select ObjectGuid}


Restrict synchronization for selected domain

  • Once you have the AD GUID, you can then restrict synchronization from SharePoint Online to only this/these domain(s) – off course if you have multiple domains you can also define some of them only
  • To set the restriction you must have SharePoint Online Management Shell – available from – and execute the following command Set-SPOTenantSyncClientRestriction
    • Connect to your SharePoint Online tenant with

      $cred = Get-Credential (save your SharePoint Online Admin credential in the $cred variable)

      Connect-SPOService -Url https://<your Office 365 tenant name> -credential $cred (connect to your SharePoint Online tenant with your saved credentials)

    • Set-SPOTenantSyncClient -Enable -DomainGuids "<replace with your AD GUID – multiple GUID must be separate by a comma>"


Check the existing restriction

If you are not sure if there is any client synch restriction, or need to check which domain(s) is allowed (you will only get the GUID), you need to run the following command



Remove the restriction

To remove the overall restriction, run the following command and the TenantRestrictionEnabled must then be set to FALSE



Good to Know

Additional things to know:

  • It may take up to 24 hours to be applied
  • All synchronization request from a client which is not member of the domain list (GUID) will be blocked
  • All synchronization request from Mac will be blocked – this is obvious as a Mac is not domain joined but it is always good to recall this point
  • Mobile device synchronization is not blocked – if you want to restrict mobile device to sync, you need to use Office 365 MDM or Intune
  • If you already have a synchronization in place from a device which is not domain joined, this will be maintained BUT no more synchronization will occur – however if you add a new files from this client, the files will be uploaded. This means the existing synchronization will ONLY upload new/updated files
  • You need to ensure everyone is using at least the version 15.0.4693.1000 of OneDrive for Business – any version prior to this one will be stop working
Jul 07
Skype for Business – The Windows Phone Skype for Business app is now available

Microsoft has released the new Skype for Business app for Windows Phone.

If you have already installed Lync 2013 Mobile client app for Windows Phone, this has been automatically (or should be) updated.

If not, try to force to update your installed app or download it from the Store

As part of the improvements:

  • off course the same UI than Skype for Business desktop
  • More emoticons available
  • At rest data encryption, meaning IM conversation and voicemail are encrypted by default
  • Conversations are synchronized across all the devices you use



Jul 05
Office 365 – New resources for Office 365 PowerShell

As you may know, many of the administration tasks for Office 365 services have to be done using PowerShell.

Since June 30rd, Microsoft has released a new web site to assist you with Office 365 powershell commands.

This site contains lot of resources and script samples to help you

Go to

Jul 02
Office 365 - Skype for Business Preview

imageWant to be the first to see, test and use what will be coming with Skype for Business and Skype for Business Online??

Go to to sign up for Skype Meeting Broadcast, PSTN Conferencing (US only at this time) and Cloud PBX with PSTN Calling (US only at this time too).

  • Skype Meeting Broadcast will allow you to host live meeting with up to 10 000 attendees with Yammer integration to allow dialog during the broadcast
  • PSTN Conferencing will allow you to host live meeting with Skype for Business Online and invite your participant to dial in to join the conference. As prerequisites, you must have an Office 365 Enterprise plan, or Skype for Business Online Plan 2 or 3 and being hosted in the US
  • Cloud PBX will deliver iPBX features based on Office 365/Skype for Business Online, meaning you will be able to make and receive traditional phone calls directly with your Skype for Business client without the pain of setting up telephony integration On Premises and integration with Online. As prerequisites you must have an Office 365 Enterprise plan or a Skype for Business Online Plan 2 or 3 and being hosted in the US
Jul 02
One more year as MVP

MVP_FullColor_ForScreenI have the great pleasure to announce that I have been renew for one more year as MVP on Office 365 Smile

One more year as part of this great program with lot of opportunity

Jun 27
Office 365 – Azure Active Directory Connect Installation

Following my previous post about the upgrade process from DirSync to AAD Connect (which failed), I decided to go ahead and uninstall DirSync to do a fresh install of AAD Connect.

So let start a fresh install by accepting the license agreement


Then you have the choice to do an Express configuration – which synchronize identities, password and all attributes from the current directory (based on the domain membership of the server) – or do a Custom configuration which let you decide what do synchronize


For the next steps, I choose to do a custom configuration

With the custom configuration you can choose to use a SQL instance (instead of using the SQL Express provided with the tool), define custom installation location, define your own FIN groups

If you choose to define your the service account (used to start the service not to synchronize your directory – even if you can use it for both it is always recommended to use dedicated account for each task) you have to use the following format domain\useraccount – UPN format is not accepted

I choose to define my own service account (to run the synchronization service) and use a SQL instance


Then when you start the installation, the wizard installs additional prerequisites like the sign-in assistant

As I choose to use SQL instance, it also creates the ADSync database on SQL and grants appropriate permission for the service account I defined

NOTE i f you uninstall AAD Connect and where using an SQL instance, the ADSync database will be also deleted


At the next step, you can define which authentication methods you want to use between password synchronization, federation or nothing (meaning you need to define the user’s password on Azure AD/Office 365)


I choose Password Synchronization – I already have ADFS configured and in use, so want to check what will happen there

Then you have to enter your global administrator credentials – as always it is recommended to have setup a dedicated account on your tenant with complex password which never expires


Then it connects to the tenant, validates the credentials and the account role

At the next step you can select which On Premises AD Forest you want to synchronize – if you have only one, that’s easy, if you have more than one you can add them here; strangely you have to manually enter the other AD forest in the FOREST field while with beta/preview version you were able to select them directly using the drop-down menu

The account does not need anymore to be Enterprise Admin BUT need to have permission to manage user and groups objects


Then it checks your directory schema and validates if it meets the prerequisites for synching with Azure Active Directory

If you are going to synchronize multiple AD Forest, you have to define the way to uniquely identity each identity against each directory services


Then you can synchronize the entire directory or select filtering options based on AD groups – this option can be helpful if you are planning a pilot

Do not forget you will be still able to do filtering based on OU or attributes later using the FIM console


Finally you can choose to enable additional features like Exchange Hybrid configuration, password write back…


In my case I enabled Exchange Hybrid, password write back (which requires AAD Premium) and also the new (still in preview) user and group write back (will covers this later in this post)

Then once you have selected (and configured) the additional features, you can check which AD attributes will be synchronized – you can check them using a CSV export

You can even unselect some of them using the I want to further limit the attributes exported to Azure AD and then uncheck the attributes you want

NOTE you will not be able to uncheck mandatory attributes like userprincipalname, accountenabled…


That’s it, you are ready to finalize the configuration. I would recommend to uncheck the Start synchronization if you want to configure OU based filtering

Unchecking this option will disable the scheduled task. Don’t forget to enable it after having configured your OU based filtering


Also, you can enable the Staging option which will let you check what will be synched to Azure AD BUT will not export anything

This useful if you are planning a pilot or preparing the deployment of AAD Connect in parallel of other running instance (DirSync)


 To start a manual synchronization, there is no more any PowerShell command but a command line tool - see

Console Location

With Azure AD Connect, the console which allows you to check the synchronization progress as well as to define OU based filtering is now located within the C:\Program Files\Microsoft Azure AD Sync\UIShell folder and you have to use miisclient.exe to start it

As usual you have to logoff after installing the tool to be able to use the console



Groups and Users Writeback

Groups and Users Writeback is new with ADD Connect and allows you to create groups and users object on your On Premises Active Directory based on objects initially created on Azure Active Directory

If you enable this feature, you have to define where this “written back” group and user objects have to be created on your AD. AAD User will have a randomly generated password set your on AD, so you will have to reset to a known password after their creation.

Password write back is not available for these objects, meaning their cloud password is not synchronized back on your AD.



Device Writeback

If the device writeback is disabled this may be because you need to prepare your AD forest.
Also seems there is still some defect as this feature also comes with ADFS 3.0 and device registration; if you have setup ADFS 3.0 for device registration, you have nothing to do but the option is still unavailable

To prepare the forest, you need to run a PowerShell command prompt (still using Run As Administrator) and execute the AdSyncPrep.psm1 located within the default installation folder C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep. Also you need to execute this command with an Enterprise Admin account

Then you have to execute the following command to enable device writeback Initialize-ADSyncDeviceWriteBack

You will be asked to enter the domain to be prepared and the AD connector account – the one you defined when you connect to your On Premises AD services


NOTE seems there has been another change since the beta/preview builds as you have to reconfigure what you already have defined. This was not the case with the beta/preview builds

Bulk Deletion Prevention

By default, AAD Connect now has bulk deletion prevention enabled BUT with a high threshold set to 500 objects; meaning of less than 500 objects are deleted on AD, this will be synched back to Azure AD.

If you want to either disable – run the following command Disable-ADSyncExportDeletionThreshold – or change the threshold value – run this command Enable-ADSyncExportDeletionThreshold, you then will be asked to enter your Azure AD credentials and the new threshold value (or use the complete command Enable-ADSyncExportDeletionThreshold –DeletionThreshold <value>

Jun 27
Office 365 – Upgrade from DirSync to Azure AD Connect

Following the announcement of the new AAD Connect (Azure Active Directory Connect), I decided to upgrade my DirSync instance (version 1.0.7020).

So the first thing is off course to get the AAD Connect tool either from

Then let start the upgrade….

Some details about my current DirSync configuration:

  • Use OU’s filtering to define where the objects to synchronize are located
  • Device objects are also synchronized
  • Password synch and write back and Hybrid configuration options have been enabled

 Also I'm using ADFS to authenticate against Office 365 and Microsoft Azure services.

As usual, always run as administrator – best it to use a command prompt with the run as administrator option

The setup immediately starts installing all required binaries before starting the configuration wizard



After the classic acknowledgment of the license, you can start configuring

The wizard has detected my DirSync instance and is checking to propose me the best upgrade option


And… it failed. The wizard told me that DirSync is configured with some options which can not be upgraded to Azure AD Connect.


So I checked the Learn more link to try to know which options are involved here but it clearly does not help

Then I checked the TEMP directory on my user profile to check if there is any log file and if so trying to get more details but there is log, no need to check the Windows Event log, there is nothing here too.

So the upgrade process ended by uninstalling DirSync and start a fresh install….

Jun 25
Office 365 / SharePoint Online – External Sharing can now be accepted only by the original email address which invited

An update is currently being deployed on SharePoint which will allows IT administrator to restrict external sharing to be validated only by the original email which sent the invitation.

To enable this, you must connect to your SharePoint tenant using PowerShell and set the RequireAcceptingAccountMatchInvitedAccount to TRUE (by default this is set to FALSE)

To check if your tenant is already updated, run the Get-SPOTenant and check if the parameter is present or not


But stay tuned, more update is coming on SharePoint Online Smile

Jun 25
Office 365 – New “about me” page (Office 365 Profile)

You may be already aware – if not this now the case – every user on Office 365 has a profile page (different from the SharePoint Profile) accessible from the Gear\Office 365 Settings\Me menu. This page provide user details like your contact details or allows you to know more about the license assigned to your account


This page has been updated to deliver a nicer interface Smile


This updated page is/will be available first to whom has the First Release enabled and in the few months to all other.

1 - 10Next

 ‭(Hidden)‬ Blog Tools



Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data


Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010