As you may already know – if not, this is it - Microsoft has introduced and provided Multi Form Factor (MFA) with Office 365, and Azure Active Directory, for some time now. This MFA solution is provided by PhoneFactor – which has been bought since then by Microsoft.
If you don’t know anything about this just take a look here http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618 for On Premises deployment and http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=556 for the Office 365 version.
That said, and while I’m a big fan of this solution, there has been a big hole with it: this was working ONLY for web browser access, Office client (and PowerShell) do not support this additional authentication scheme. The workaround was to setup what it is called an App Password which automatically generated and in my opinion is not so secure as it contains only small cap characters.
After this introduction, here is the GOOD news…. Support for MFA will be available soon for Office client (nothing said about PowerShell support).
If you want to know more and take part of the preview read the announcement here http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/ and join the preview here http://aka.ms/previewauth
Read carefully the announcement has there are some restrictions.
Hopefully I will be able to provide you my feedbacks with this preview soon.
Today, the OneDrive app for Windows Phone – the personal version – has been updated to the version
Ok, I usually don’t post about such mobile apps updates – as they can be frequent, but this is one is interesting as it introduced an interesting new feature.
Indeed, you can now add your OneDrive for Business space into the OneDrive (personal) mobile application
If this page does not come when you start OneDrive app after the update, just hit the button on top left (just left of Files menu)
Then just enter your Office 365 organization account
Once authenticated, your OneDrive for Business will appear in the list of available storage space as well as through the Settings\Accounts menu; as you can see, you can add more than one Office 365 OneDrive for Business space
If you want to reach your OneDrive for Business space, you just need to switch by hitting the Files menu shown below your Office 365 account
If you are running the preview version of Windows 10, you may be aware that an updated version is available and should be installed through the Update and Recovery section from the PC Settings in the Charm bar.
Ok, but if you have enabled Media Center this operation will failed with the error code 0x800700EA. I found that is the Media Center feature which cause that issue thanks to the Windows community forum (only place I found exact same issue BUT with no solution except reinstalling without enabling Media Center – as reminder this come with an specific product key).
So as I did not want to reinstall it (even by doing an inplace upgrade), I dug a little and found 2 registry keys have to be updated to allow me getting the updated version of Windows 10.
You have to change the value of the following keys:
These keys are located below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion.
After changing the value of these key, restart the client and go to the Update and Recovery section to get the updated version.
I know OneDrive for Business is not completely working (many synchronization issues have been reported, lacked of troubleshooting way…) but when it work, it is really helpful (especially because of the storage space increased up to 1 To recently ). I’m myself not a big fan of O4B.
So that said – and because Microsoft is working hard to improve that, there is a useful Excel file which can help in the OneDrive for Business deployment called OneDrive for Business Client Network Bandwidth Calculator – available for download from http://www.microsoft.com/en-us/download/details.aspx?id=44541 (currently in beta)
This spreadsheet will help you to determine the bandwidth consumption for your company when deploying OneDrive for Business.
You can define the number of site, number of user per site, average file size, client type (mobile, PC…) and it will generates a report with graphic to help you understand your needs to provide good user experience (if possible with the current version )
Microsoft has update his Azure Cost Estimation tool now available at http://www.microsoft.com/en-us/download/details.aspx?id=43376
After his installation, you will be able to scan your on premises environment (running either on a physical server or an hypervisor like Hyper V, SCVVM or ESx) and get an estimation cost for the same environment on Azure
As sample, here is a result for an Hyper V 2012 R2 server running 7 VM’s – including SharePoint 2013, Exchange 2013 or Lync 2013 and SQL server
Off course you can adjust the costing by changing the Compute Instance
As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.
To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.
That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.
Good news , Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.
To do, you just have to
I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog . So, let start with the connector installation and systems configuration.
There is 3 files available for download
There is 3 files available for download
The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.
During the installation, IIS and all required features will be installed if not already installed on the server.
You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use
This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.
The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered
NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.
NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account
Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.
At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu
On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.
When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account
As the RMS connector uses an IIS web site, by default it is using HTTP traffic; as for any sensitive HTTP communications, it is recommended to use HTTPS.
To enable RMS connector for HTTPS use, just open the IIS console and bind the HTTPS port (443) with a certificate; you can either use your internal Certification Authority or a public one.
You can also configure a binding using a generic URL instead of the server name; this is required if you plan to use load balancing for high availability. This is also recommended even if you deploy one RMS connector server.
Do not change this URL after you have configure Exchange, SharePoint or file servers to use RMS connector.
Exchange 2010 SP3 with CU 6 or Exchange 2013 CU 3 (or later) is supported for the RMS connector use.
You need to install an updated version of the RMS client if you are running Windows Server 2008 or Windows Server 2008 R2 to support RMS Cryptographic Mode 2 (Windows Server 2012/2012 R2 already support it)
Run the PowerShell script to configure Exchange server to use the connector (don’t forget, always run the script using the Run as administrator).
This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values
It will ask you for the RMS connector URL (your RMS connector server(s))
Once this has been completed, you have to enable Exchange for RMS – see http://technet.microsoft.com/en-us/library/dd351212(v=exchg.150).aspx
By the way, to enable RMS on Outlook Web Access for On Premise you have to run the following command on Exchange Set-OWAVirtualDirectory –IRMEnabled $true
SharePoint 2010 or SharePoint 2013 are supported for the RMS connector use.
As for Exchange Server, if you are not running Windows Server 2012/2012 R2, you need to update the RMS client
Run the PowerShell scripts to configure SharePoint server to use the connector (don’t forget, always run the script using the Run as administrator)
As for Exchange, once this has been completed, you have to setup SharePoint for RMS use – see http://technet.microsoft.com/en-us/library/hh545608(v=office.14).aspx
If you are using a proxy server, you may have to configure the RMS connector to use this proxy
Unfortunately, there is no interface available to do so; you have to manually update the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector and add a String key called ProxyAddress with the proxy settings as value (like http://proxyserver:8080)
To configure privileged Azure RMS account, you need to use the PowerShell module for Azure RMS – available at http://technet.microsoft.com/en-US/library/jj585012.aspx
Then run the following commands
As announced some time ago, Microsoft has one again introduced a new “simple” feature on Outlook Web Access hosted on Office 365.
This new feature now allows you not to send an attachment but a link to your OneDrive for Business space where the attachment is stored.
There is nothing to do your side – except wait for the deployment of this feature on your tenant.
Then, you only have to logon to your Exchange Online mailbox using Outlook Web Access (OWA) at https://outlook.office365.com, create a new email and add an attachment using the Attachments or OneDrive files menu as shown below
Choosing the OneDrive option opens a new window to let you choose the document to attach from your OneDrive – NOTE you can only select ONE file at a time
There is 4 locations displayed:
If you choose Computer, you will be asked if you want to upload on OneDrive for Business or attach it as a classic attachment
When you choose Upload and Share with OneDrive, a new folder is automatically created (the first time) on your OneDrive for Business space called Email attachments where all uploaded attachments will be located
NOTE To and CC recipients are getting automatically permission to read and edit the attachment stored on your OneDrive. You can change the permission to restrict to read only using the menu
Here is what the recipient will receive – as you can see there is NO more attachment but instead a link to your OneDrive
This new way to send attachment is ONLY available from OWA using a web browser or using OWA apps for Android or iPhone.
NOTE this feature was in someway already available BUT you were obliged to install an Outlook App from the Office Store, as shown below
Back in February 2014, Microsoft has implemented a new security feature on Exchange Online called Message Encryption (see http://blogs.office.com/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone/).
But this feature required to use a Microsoft account to decrypt the message. With the service upgrade; this now possible to bypass this requirement and use a One Time Password (OTP) to decrypt the received message.
For the purpose of this post, I send an email which has been encrypted by the Message Encryption to a Gmail address.
Here is how the encrypted message now looks like when viewed by the recipient
So you have to open the HTML attachment (message.html) and you will see at the bottom a link to request on One Time Password to open the message
You may get a warning pop-up to notify you that you are going to be redirected
Then you are redirected to an Office 365 page which is waiting for the One Time Password which has been sent to the recipient address
Here is the message received with the One Time Password, valid for 15 min
After filling the OTP form with the One Time Password generated, the recipient is able to read the message. please note the banner and the footer which remind that the message has been encrypted
With Windows 10 Technical Preview, Microsoft has introduce a new feature called Task View which is in fact a way to use multiple different desktop running different applications – both Windows App or Desktop App.
This feature has been there for a long time on Linux or OSx, and has been there too long time ago on Windows XP with a PowerToy
To use it, just hit the Task View icon in the taskbar , this will get you to the task view interface which displays the main desktop view (the one started when you logon) then you just have to hit the + Add a desktop (or the + sign if you already have another virtual desktop) to create a new virtual desktop/task view and start your application; repeat as many time you need
If you close the virtual desktop/task view, this does not close the applications currently running in this view. These applications go back to the main desktop
A quick post to say the upgrade process from Windows 8.1 on Surface Pro 3 (core i7 / 8 G RAM) went very smoothly and was very quick.
After about 15 min, Windows has been upgraded to Windows 10 with no issue. Everything from the application (both Windows App or Desktop App), content (cached from OneDrive and OneDrive for Business) is still there and correctly configured.
Good news too, you don’t have to suspend the Bitlocker Protection, the install process does it for you, meaning you don’t have to stay around while the upgrade is in progress (as there are few restarts ).
Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.
He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.
He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.
He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).
He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.
With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.
This blog is using tracking code for analytics purpose.
No personal data are stored and maintained.