Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Sep 01
Office 365 – New settings to set Office 365 landing page

As you may already know, Office 365 services are accessible either directly using their own URL’s (like https://outlook.office365.con or https://<you tenant>.sharepoint.com) but they are also accessible from the Office 365 portal which also allows end-users to install software, update their settings…

However, when an end-user type https://portal.office.com , he is usually redirected by default to his OWA mailbox, while admins are directed to the admin portal.

A coming update will allows you to define the landing page.

Setup your Start Page

To do this, just logon to any Office 365 services, and go to the Office 365 settings menu available from the Gear

image

Then click on the new option called Start Page and select your start page from the Office 365 portal to Yammer, or Outlook; off course, option to choose the Office 365 admin center is only available to administrators.

image

The settings will be take into account the next time user logged on Office 365.

Aug 29
Azure Active Directory – Registered Devices are not synched between Active Directory and Azure Active Directory

Following my previous post about this feature in preview on Azure Active Directory allowing you to set up Join Workplace / Register Devices – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=609, I ran into an issue. Registered devices are not synched between AD and AAD; devices registered on AD do not show up on Azure portal and device registered on AAD are not synched back on AD.

image 

On the directory sync tool, it shows the following error

Stack Trace

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "Active Directory Connector" do not include an object with DN "CN=5111aac0-ceae-48fa-885b-cecf9f21bb17,CN=RegisteredDevices,DC=<removed>,DC=<removed>" and object classes msDS-Device.

imageimage 

Off course, there is no RegisteredDevices OU available for selection in the MA; it would have been to simple Smile

image 

 

So, the solution is anyway relatively simple

On the server where the Azure Active Directory Synchronization tool has been installed, open the FIM console (located within the directory "C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\" and run miisclient.exe)

Then go to the Management Agents tab and open the properties for your Active Directory Connector

image 

Reach the Configure Directory Partitions section and open the Select containers for this partition and enter your AD admin credentials

image 

Do not change any OU selection (except if you want to update your OU filtering in the same time); click on the Advanced button

image 

Add the DN (Distinguished Name) of the RegisteredDevices container (should looks like CN=RegisteredDevices,DC=<domain>,DC=<top level>) in the Specify additional containers to add and ensure the Include container option is selected

image 

Close all window and run a full synch, while still within the Management Agents tab

  1. Select Active Directory Connector and click Run\Full Import Full Sync
  2. Select Windows Azure Active Directory Connector and click Run\Full Import Full Sync
  3. Select Windows Azure Active Directory Connector and click Run\Export
  4. Select Active Directory Connector and run Run\Export

Et voila, all registered devices – from AD or AAD – are synched

image 

Aug 27
Office 365 / Exchange Online – Exchange 2013 Hybrid mode updated to automate OAuth authentication method support

Today, I have upgraded my Exchange 2013 deployment by installing the latest CU – CU 6 available for download here http://www.microsoft.com/en-us/download/details.aspx?id=44022

Then I wanted to updated my hybrid configuration with Office 365, so I connect to my ECP and start the HCW to update the settings.

At the end of the HCW, I discovered that the wizard has been updated to simplify OAuth authentication configuration which was done manually previously – see http://technet.microsoft.com/en-us/library/dn594521(v=exchg.150).aspx

Everything went smoothly – as usual (and at least since the install of the update to solve the HCW failing issue) until I went to the following windows at the end of the wizard, in place of the classic HCW configuration completed successfully message.

image

To continue and so complete the configuration, the HCW download a tool from http://go.microsoft.com/fwlink/?LinkID=320386

image

image

image

image

image 

Aug 22
Office 365 – Office On Demand is being retired on November 2014

A major change announcement for Office 365 services.

Office On Demand – a feature which allows to install Office on a client for the time of need – is being retired by November 2014

http://community.office365.com/en-us/f/172/t/259931.aspx

Aug 22
Microsoft Azure – Now supporting reverse DNS

Big news today Smile

Microsoft has announced that Microsoft Azure, his PaaS solution, is now supporting Reverse DNS for all Azure services; and mostly, this is also backward compatible for all existing services.

To know more about this announcement and how to use it see http://azure.microsoft.com/blog/2014/07/21/announcing-reverse-dns-for-azure-cloud-services/

Aug 20
Office 365 / Office Mobile – SharePoint site content is not updated correctly on Office Mobile

UPDATE 21/08/2014 - I have been informed that this occurs also on Office Mobile on iPhone

Recently, I discovered that the SharePoint Online site content displayed on Office Mobile – running on Windows Phone 8.1, it not correctly updated, still showing deleted items or wrong items numbers (as shown below).

This occurs even if you remove the site from Office Mobile and then re add it.

I initially saw it while running the Developer Preview of Windows Phone 8.1 – so i thought is was a messy bug from this beta version, but as I’m now running the full RTM version, this is not anymore a beta bug Smile

imageimage 

A service request to the Office 365 support team is currently opened. I’ll update this post as soon as I will have a solution, answer or any additional details regarding this issue.

Aug 18
Azure – Use Windows Azure Multi Factor Authentication to secure your on premises application and with your ADFS

As you may already know, Office 365 has introduced the use of multi factor authentication (MFA) few time ago.

This feature is based on Microsoft Azure Active Directory Multi Factor service and allow you to setup additional authentication methods to secure the access to your Office 365 tenant.

This works also perfectly fine if you have federated your Office 365 tenant with your internal Active Directory; in this case, the user is first redirected to your ADFS authentication form and then MFA from Office 365 is instantiated.

BUT, this secures ONLY your Office 365 services; how can you use this service to secure your other federated services?

This post details all steps to install and configure Azure MFA On Premises with AD integration, self service portal and mobile app usage.

The first step is to deploy and configure ADFS 3.0 – included as server role in Windows Server 2012 R2 – and update your federation trust with Office 365 (this will ensure service continuity after deploying your ADFS 3.0 farm).

Then, you must download, install and configure the multi authentication form on your ADFS server.

As reminder, MFA is part of Azure Active Directory Premium offer.

 

Enable Multi Factor Authentication on Azure Active Directory

Ensure you have MFA enabled on your Microsoft Azure Active Directory – this should have been done already if you have enabled MFA for Office 365. If not, follow the following steps – NOTE this apply also if you don’t have Office 365 and want to take advantage of this service, in this case you have also to configure Directory Synchronization with Azure AD

  1. Logon to you Azure management portal using your Office 365 admin account - https://manage.windowsazure.com

NOTE you may faced the error “we were unable to find any subscription associated with your account”, no worries, just click on the Sign Up for Windows Azure and you will get a trial access – which will not expire for AAD service.

image 

  • Click on the New\App Services\Active Directory\Multi Factor Auth provider menu

image 

  • Name the new service, define the usage/licensing mode. For the directory, you should have only one, your Office 365. As we are going to secure other applications, this does not need to be filled as the MFA service will then be deployed On Premises

imageimage 

 

Download and Install the Software Piece

  • Once successfully created the MFA service, you must download the software piece to be deployed on premises. To download it, just reach the Active Directory section and click on the Multi Factor Auth Provider tab and finally select your MFA provider and click to Manage

imageimageimage 

  • From the new page opened, just scroll down a little to find the Downloads section

image 

  • When you click on the Downloads link, you will get a new page with an Activation Credentials button. The download link itself is just on top of the button.

image 

  • Install the MFA software on your ADFS server. There is no specific option to configure.

imageimage 

  • Once installed, a configuration wizard starts. Choose to Skip the wizard

image 

 

Configure MFA

  • Return to the MFA administration page and now click to the Activation Credentials button; for security reason, this credential is valid ONLY for 10 minutes; if you need to regenerate, just hit again the button

imageimage 

  • On the MFA console, enter the credentials generated and click on Activate

imageimage 

  • Once activated, you can import your users from AD by hitting the Users button and Import – or using the File\Import Users menu to import from a CSV file

imageimage 

image 

 

Configure Directory Synchronization

  • Reach the Directory Integration option and click on the Synchronization tab

image 

  • Click on the Add button and select the domain/OU to be synchronized; define all other options accordingly to your need

image 

  • Finally enable the synchronization and the interval between each synchronization, as well as actions related to removed/disabled users

image 

 

Integrate with ADFS 3.0

  • Then click on the ADFS button to enable the integration with your ADFS. Enable user enrollment; optionally you can also let the user to choose the MFA method by enabling the desired option below Allow users to select method. Then click on Install AD FS Adapter

imageimageimageimage 

  • To complete the integration, you must then run a PowerShell script to register it as additional authentication method. Open a Windows PowerShell command line using the run as administrator and execute the following script Register-MultiFactorAuthenticationAdfsAdapter.ps1 located within the directory C:\Program Files\Multi-Factor Authentication Server\

image 

  • Then open your ADFS console and reach the Authentication Policies section to enable the MFA from Azure

image 

  • Click on Edit for the Multi factor authentication and then enable WindowsAzureMultiFactorAuthentication; off course you have to configure to which users/groups and devices or location to use MFA

image 

  • Once this has been done, you just have to test it Smile
  • From a web browser, enter your ADFS URL (https://<ADFS URL>/adfs/ls/IdpInitiatedSignon.aspx) and try to logon using one MFA enabled account

image 

    Install MFA Portal

    The MFA portal allows users to self register themselves.

    • Before installing the user portal, you must enable IIS server role, including IIS 6 Metabase and ASP.Net. For the purpose of this post, I have also pre created a new IIS web site to use for the self service portal. It is recommended to not use the default IIS website
    • Reach the User Portal section and click the Install User Portal button

    image 

    • As the server is part of an Active Directory, the integration will be configured automatically; if you choose to configure manually just check the Skip automatic Active Directory configuration

    image 

    • Select the IIS web site to use for hosting the portal

    imageimage 

    • Then define all other options, like the URL (include HTTP:// or HTTPS://), user enrollment….; for the URL, do not forget to provide the FULL URL – like https://mfaportal/MultiFactorAuth/

    image 

     

    Install the mobile app and the DSK

    This step allows to use the mobile app – available from all mobile app store, to authenticate using the MFA solution. The SDK is required even if you don’t plan to develop applications which will use the MFA service.

    This is recommended to deploy on an internet facing server; for the purpose of this post, I’m installing on the same server than the previous components.

    This requires IIS role installed, with ASP.Net and IIS 6 Metabase. For the purpose of this post, I have precreated a new IIS website – it is recommended to not use the default website; it can be also the same IIS site than the one use for the self service portal

    • From the MFA console, reach the Web Service SDK section and hit the Install Web Service SDK

    image 

    • Select the IIS web site to use as installation target

    image 

    • Open a command prompt with the run as administrator
    • Browse to C:\Program Files\Multi-Factor Authentication Server and run the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi package

    image 

    • Select the IIS website to host the web service mobile application

    image 

    • Then edit the web.config file located within the C:\inetpub\mfa_portal\MultiFactorAuthMobileAppWebService directory
      • Update the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD with the value for the service account to be used. A service account has been already setup using the wizard but as you don’t know the password (used for the application pool), it is recommended to create a new one and add it as member of the PhoneFactor Admins group created also by the wizard
      • Update the value of pfpaws_pfwssdk_PfWsSdk with the URL of your portal – include HTTPS; it then looks like https://mfaportalurl/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
    • If you open a web browser window and enter this URL, you should get prompted for authentication and then get the ASMX details

    image 

      Configure SMTP service

      The SMTP service will be used to send notification email to end-users enabled for MFA with details to complete the registration.

      • From the MFA console, reach the Email section and enable the Send emails to users and define your own settings for using your SMTP server

      image 

      • Optionally, you can also customize the notification emails thanks to the Email Content tab. For this post, I’m keeping all by default as it provides all required information
           

      Enable users for MFA

      • From the MFA console, reach the Users section

      image 

      • Select a user (or multiple users) to enabled
      • Define the authentication method to be used and enable it

      image 

      • An email is sent to the user (thanks to the configuration done earlier) with all the details to complete the configuration

      image 

      • Then the user logon onto the MFA portal to complete the configuration

      image 

      • As I allowed to choose which authentication method to use, it is possible to select from phone call to mobile app

      image 

      • For the purpose of this post, I choose Mobile App; just click on Generate Activation Code button to get the tag and code generated; if needed, the user can enter manually the URL and the activation code if the tag reader can not be read

      image 

      • I start my Multi Factor Auth mobile app and present the tag

      imageimage 

      • Then I asked for being authenticated now, which generates a request on my mobile app for confirmation

      imageimage 

      • Then complete the security questions. And that’s it
      Aug 14
      Office 365 – You can now define the cloud user password

      As you may already know, since the first release of Office 365, when you create a cloud user account, the system automatically generates a temporary password.

      Now, you can also choose to set the user password when you create a new cloud user account.

      To do so, just click on the Type password link shown in the Create new user account window

      image 

      This does not change the fact this is a temporary password and needs to be changed the first time the user logon.

      Aug 13
      Microsoft Azure / SharePoint Online – Error when installing PowerShell module: PowerShell 3.0 is required

      Recently, I ran into an interesting error trying to install SharePoint Online PowerShell Module or Microsoft Azure PowerShell modules.

      The setup program said “PowerShell 3.0 is required”, while off course this has been already enabled on my Windows 8 or Windows Server 2012 R2 installation as all other online services PowerShell modules have been installed, including the Online Sign In Assistant which also require PowerShell 3.0

      image

      I also add another one, a network error occurred when reading the package. This one occurred less often.

      So, I dug a little, searching internet with no luck, trying to reinstall the OS, no luck either… and then I thought to look around the registry.

      And I found:

      Just delete the 2 following keys:

      • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00005159B51190400100000000F01FEC
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95150000-115B-0409-1000-0000000FF1CE}

      Et voilà, I have been able to successfully install the PowerShell modules.

      Aug 07
      Exchange – Mobile Device Stuck in Quarantine

      Recently, I just found an old device put in quarantine on my Exchange environment (ECP\Mobile\Mobile Device Access).

      Initially this was normal because I applied mobile device policy to put in quarantine all new mobile device – using ActivSync protocol to connect to the Exchange mailbox.

      In this case, I don’t know why it was not approved (or rejected), and it was stuck in quarantine since July 2013. Quite a long time ago Smile

      image

      As I wanted to clear the quarantine, i tried to allow it (as this device belong to me) but… no luck; it failed with the error

      The operation couldn't be performed because object 'Benoit HAMET' couldn't be found on '<domain controller>'.

      image

      Ok, it may make sense as the related account has been moved to Exchange Online since then.

      So, I tried another way with PowerShell and ran the following command to find any device in quarantine for more than 1 month and delete them

      Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-MobileDevice

      But failed again with a similar error.

      As almost everything related to Exchange is stored on AD, I started looking on the attributes of the user account but found nothing using ADUC console – in fact I found the allowed devices attribute but nothing related to pending or quarantine.

      So, I switched to ADSIEdit (our good friend for any AD deep stuff) and start looking around the user object… and I found it Smile

      ALL the mobile devices associated to a user are located just below the subbranch CN=ExchangeActiveSyncDevices, below the user object

      image

      So, in order to not delete the wrong device, i ran again the command to get his name on Exchange

      Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)}

      Which returns all the properties associated on any device put in quarantine

      Then, using the value of the Name attribute, I was to locate the correct value on ADSIEdit and delete it

      image 

      1 - 10Next

       ‭(Hidden)‬ Blog Tools

       Copyright

       About

      Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

      He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

      He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

      He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

      He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.

      With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

      ​Privacy Information

      This blog is using tracking code for analytics purpose.

      No personal data are stored and maintained.

       Follow me on

       Share This

       Office365 Undercover by Arnaud ALCABEZ

      Retrieving Data

       Certifications

      Microsoft Certified Systems Administrator 
      Microsoft Certified Systems Administrator - Messaging
      Microsoft Certified Systems Engineer 
      Microsoft Technology Specialist 
       Microsoft Certified IT Professional

       Translation Tool

      Translate this page

       FaceBook Fan's Page

       Books I wrote

      Le portail Microsoft SharePoint 
      Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
      Microsoft Office SharePoint Server (MOSS) et Office 2007  
      Microsoft Sharepoint 2010