Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Aug 27
Office 365 / Exchange Online – Exchange 2013 Hybrid mode updated to automate OAuth authentication method support

Today, I have upgraded my Exchange 2013 deployment by installing the latest CU – CU 6 available for download here

Then I wanted to updated my hybrid configuration with Office 365, so I connect to my ECP and start the HCW to update the settings.

At the end of the HCW, I discovered that the wizard has been updated to simplify OAuth authentication configuration which was done manually previously – see

Everything went smoothly – as usual (and at least since the install of the update to solve the HCW failing issue) until I went to the following windows at the end of the wizard, in place of the classic HCW configuration completed successfully message.


To continue and so complete the configuration, the HCW download a tool from






Aug 22
Office 365 – Office On Demand is being retired on November 2014

A major change announcement for Office 365 services.

Office On Demand – a feature which allows to install Office on a client for the time of need – is being retired by November 2014

Aug 22
Microsoft Azure – Now supporting reverse DNS

Big news today Smile

Microsoft has announced that Microsoft Azure, his PaaS solution, is now supporting Reverse DNS for all Azure services; and mostly, this is also backward compatible for all existing services.

To know more about this announcement and how to use it see

Aug 20
Office 365 / Office Mobile – SharePoint site content is not updated correctly on Office Mobile

UPDATE 21/08/2014 - I have been informed that this occurs also on Office Mobile on iPhone

Recently, I discovered that the SharePoint Online site content displayed on Office Mobile – running on Windows Phone 8.1, it not correctly updated, still showing deleted items or wrong items numbers (as shown below).

This occurs even if you remove the site from Office Mobile and then re add it.

I initially saw it while running the Developer Preview of Windows Phone 8.1 – so i thought is was a messy bug from this beta version, but as I’m now running the full RTM version, this is not anymore a beta bug Smile


A service request to the Office 365 support team is currently opened. I’ll update this post as soon as I will have a solution, answer or any additional details regarding this issue.

Aug 18
Azure – Use Windows Azure Multi Factor Authentication to secure your on premises application and with your ADFS

As you may already know, Office 365 has introduced the use of multi factor authentication (MFA) few time ago.

This feature is based on Microsoft Azure Active Directory Multi Factor service and allow you to setup additional authentication methods to secure the access to your Office 365 tenant.

This works also perfectly fine if you have federated your Office 365 tenant with your internal Active Directory; in this case, the user is first redirected to your ADFS authentication form and then MFA from Office 365 is instantiated.

BUT, this secures ONLY your Office 365 services; how can you use this service to secure your other federated services?

This post details all steps to install and configure Azure MFA On Premises with AD integration, self service portal and mobile app usage.

The first step is to deploy and configure ADFS 3.0 – included as server role in Windows Server 2012 R2 – and update your federation trust with Office 365 (this will ensure service continuity after deploying your ADFS 3.0 farm).

Then, you must download, install and configure the multi authentication form on your ADFS server.

As reminder, MFA is part of Azure Active Directory Premium offer.


Enable Multi Factor Authentication on Azure Active Directory

Ensure you have MFA enabled on your Microsoft Azure Active Directory – this should have been done already if you have enabled MFA for Office 365. If not, follow the following steps – NOTE this apply also if you don’t have Office 365 and want to take advantage of this service, in this case you have also to configure Directory Synchronization with Azure AD

  1. Logon to you Azure management portal using your Office 365 admin account -

NOTE you may faced the error “we were unable to find any subscription associated with your account”, no worries, just click on the Sign Up for Windows Azure and you will get a trial access – which will not expire for AAD service.


  • Click on the New\App Services\Active Directory\Multi Factor Auth provider menu


  • Name the new service, define the usage/licensing mode. For the directory, you should have only one, your Office 365. As we are going to secure other applications, this does not need to be filled as the MFA service will then be deployed On Premises



Download and Install the Software Piece

  • Once successfully created the MFA service, you must download the software piece to be deployed on premises. To download it, just reach the Active Directory section and click on the Multi Factor Auth Provider tab and finally select your MFA provider and click to Manage


  • From the new page opened, just scroll down a little to find the Downloads section


  • When you click on the Downloads link, you will get a new page with an Activation Credentials button. The download link itself is just on top of the button.


  • Install the MFA software on your ADFS server. There is no specific option to configure.


  • Once installed, a configuration wizard starts. Choose to Skip the wizard



Configure MFA

  • Return to the MFA administration page and now click to the Activation Credentials button; for security reason, this credential is valid ONLY for 10 minutes; if you need to regenerate, just hit again the button


  • On the MFA console, enter the credentials generated and click on Activate


  • Once activated, you can import your users from AD by hitting the Users button and Import – or using the File\Import Users menu to import from a CSV file




Configure Directory Synchronization

  • Reach the Directory Integration option and click on the Synchronization tab


  • Click on the Add button and select the domain/OU to be synchronized; define all other options accordingly to your need


  • Finally enable the synchronization and the interval between each synchronization, as well as actions related to removed/disabled users



Integrate with ADFS 3.0

  • Then click on the ADFS button to enable the integration with your ADFS. Enable user enrollment; optionally you can also let the user to choose the MFA method by enabling the desired option below Allow users to select method. Then click on Install AD FS Adapter


  • To complete the integration, you must then run a PowerShell script to register it as additional authentication method. Open a Windows PowerShell command line using the run as administrator and execute the following script Register-MultiFactorAuthenticationAdfsAdapter.ps1 located within the directory C:\Program Files\Multi-Factor Authentication Server\


  • Then open your ADFS console and reach the Authentication Policies section to enable the MFA from Azure


  • Click on Edit for the Multi factor authentication and then enable WindowsAzureMultiFactorAuthentication; off course you have to configure to which users/groups and devices or location to use MFA


  • Once this has been done, you just have to test it Smile
  • From a web browser, enter your ADFS URL (https://<ADFS URL>/adfs/ls/IdpInitiatedSignon.aspx) and try to logon using one MFA enabled account


    Install MFA Portal

    The MFA portal allows users to self register themselves.

    • Before installing the user portal, you must enable IIS server role, including IIS 6 Metabase and ASP.Net. For the purpose of this post, I have also pre created a new IIS web site to use for the self service portal. It is recommended to not use the default IIS website
    • Reach the User Portal section and click the Install User Portal button


    • As the server is part of an Active Directory, the integration will be configured automatically; if you choose to configure manually just check the Skip automatic Active Directory configuration


    • Select the IIS web site to use for hosting the portal


    • Then define all other options, like the URL (include HTTP:// or HTTPS://), user enrollment….; for the URL, do not forget to provide the FULL URL – like https://mfaportal/MultiFactorAuth/



    Install the mobile app and the DSK

    This step allows to use the mobile app – available from all mobile app store, to authenticate using the MFA solution. The SDK is required even if you don’t plan to develop applications which will use the MFA service.

    This is recommended to deploy on an internet facing server; for the purpose of this post, I’m installing on the same server than the previous components.

    This requires IIS role installed, with ASP.Net and IIS 6 Metabase. For the purpose of this post, I have precreated a new IIS website – it is recommended to not use the default website; it can be also the same IIS site than the one use for the self service portal

    • From the MFA console, reach the Web Service SDK section and hit the Install Web Service SDK


    • Select the IIS web site to use as installation target


    • Open a command prompt with the run as administrator
    • Browse to C:\Program Files\Multi-Factor Authentication Server and run the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi package


    • Select the IIS website to host the web service mobile application


    • Then edit the web.config file located within the C:\inetpub\mfa_portal\MultiFactorAuthMobileAppWebService directory
      • Update the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD with the value for the service account to be used. A service account has been already setup using the wizard but as you don’t know the password (used for the application pool), it is recommended to create a new one and add it as member of the PhoneFactor Admins group created also by the wizard
      • Update the value of pfpaws_pfwssdk_PfWsSdk with the URL of your portal – include HTTPS; it then looks like https://mfaportalurl/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
    • If you open a web browser window and enter this URL, you should get prompted for authentication and then get the ASMX details


      Configure SMTP service

      The SMTP service will be used to send notification email to end-users enabled for MFA with details to complete the registration.

      • From the MFA console, reach the Email section and enable the Send emails to users and define your own settings for using your SMTP server


      • Optionally, you can also customize the notification emails thanks to the Email Content tab. For this post, I’m keeping all by default as it provides all required information

      Enable users for MFA

      • From the MFA console, reach the Users section


      • Select a user (or multiple users) to enabled
      • Define the authentication method to be used and enable it


      • An email is sent to the user (thanks to the configuration done earlier) with all the details to complete the configuration


      • Then the user logon onto the MFA portal to complete the configuration


      • As I allowed to choose which authentication method to use, it is possible to select from phone call to mobile app


      • For the purpose of this post, I choose Mobile App; just click on Generate Activation Code button to get the tag and code generated; if needed, the user can enter manually the URL and the activation code if the tag reader can not be read


      • I start my Multi Factor Auth mobile app and present the tag


      • Then I asked for being authenticated now, which generates a request on my mobile app for confirmation


      • Then complete the security questions. And that’s it
      Aug 14
      Office 365 – You can now define the cloud user password

      As you may already know, since the first release of Office 365, when you create a cloud user account, the system automatically generates a temporary password.

      Now, you can also choose to set the user password when you create a new cloud user account.

      To do so, just click on the Type password link shown in the Create new user account window


      This does not change the fact this is a temporary password and needs to be changed the first time the user logon.

      Aug 13
      Microsoft Azure / SharePoint Online – Error when installing PowerShell module: PowerShell 3.0 is required

      Recently, I ran into an interesting error trying to install SharePoint Online PowerShell Module or Microsoft Azure PowerShell modules.

      The setup program said “PowerShell 3.0 is required”, while off course this has been already enabled on my Windows 8 or Windows Server 2012 R2 installation as all other online services PowerShell modules have been installed, including the Online Sign In Assistant which also require PowerShell 3.0


      I also add another one, a network error occurred when reading the package. This one occurred less often.

      So, I dug a little, searching internet with no luck, trying to reinstall the OS, no luck either… and then I thought to look around the registry.

      And I found:

      Just delete the 2 following keys:

      • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00005159B51190400100000000F01FEC
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95150000-115B-0409-1000-0000000FF1CE}

      Et voilà, I have been able to successfully install the PowerShell modules.

      Aug 07
      Exchange – Mobile Device Stuck in Quarantine

      Recently, I just found an old device put in quarantine on my Exchange environment (ECP\Mobile\Mobile Device Access).

      Initially this was normal because I applied mobile device policy to put in quarantine all new mobile device – using ActivSync protocol to connect to the Exchange mailbox.

      In this case, I don’t know why it was not approved (or rejected), and it was stuck in quarantine since July 2013. Quite a long time ago Smile


      As I wanted to clear the quarantine, i tried to allow it (as this device belong to me) but… no luck; it failed with the error

      The operation couldn't be performed because object 'Benoit HAMET' couldn't be found on '<domain controller>'.


      Ok, it may make sense as the related account has been moved to Exchange Online since then.

      So, I tried another way with PowerShell and ran the following command to find any device in quarantine for more than 1 month and delete them

      Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)} | Remove-MobileDevice

      But failed again with a similar error.

      As almost everything related to Exchange is stored on AD, I started looking on the attributes of the user account but found nothing using ADUC console – in fact I found the allowed devices attribute but nothing related to pending or quarantine.

      So, I switched to ADSIEdit (our good friend for any AD deep stuff) and start looking around the user object… and I found it Smile

      ALL the mobile devices associated to a user are located just below the subbranch CN=ExchangeActiveSyncDevices, below the user object


      So, in order to not delete the wrong device, i ran again the command to get his name on Exchange

      Get-MobileDevice | Where {$_.DeviceAccessState -eq "Quarantined" -and $_.FirstSyncTime -lt (Get-Date).AddMonths(-1)}

      Which returns all the properties associated on any device put in quarantine

      Then, using the value of the Name attribute, I was to locate the correct value on ADSIEdit and delete it


      Jul 23
      Lync 2013 – Push notification not working

      While working on a recent Lync 2013 project, we faced an issue with the push notification which was not working as expected – some got the notifications, some not.

      After reviewing all the configuration on Lync servers (front ends and edge) and found nothing, I found that the settings for Lync Online federated provider was set to Allow users to communicate only with people in their Contacts list and though ‘wait, the push service is an unknown people’ so let’s try by switching to Allow users to communicate with everyone using this provider.


      Et voila, push notification starts working for everyone as expected.

      Jul 14
      Windows 8 – The latest updates from OneDrive (formerly called Skydrive) does not keep available offline sub content automatically

      On Windows 8.1 client, the latest OneDrive updates has changed the heritance of the "’make available offline”.

      Indeed, previously, all content I stored below my OneDrive Documents folder was automatically set as available offline because I set the parent folder (Documents) to do so.

      Unfortunately since the last OneDrive update, thie heritance has been broken and you have to manually select one by one each new content to be kept available offline.

      It seems this is not the only issue with the last updates.

      1 - 10Next

       ‭(Hidden)‬ Blog Tools



      Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

      He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

      He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

      He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

      He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.

      With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

      ​Privacy Information

      This blog is using tracking code for analytics purpose.

      No personal data are stored and maintained.

       Follow me on

       Share This

       Office365 Undercover by Arnaud ALCABEZ

      Retrieving Data


      Microsoft Certified Systems Administrator 
      Microsoft Certified Systems Administrator - Messaging
      Microsoft Certified Systems Engineer 
      Microsoft Technology Specialist 
       Microsoft Certified IT Professional

       Translation Tool

      Translate this page

       FaceBook Fan's Page

       Books I wrote

      Le portail Microsoft SharePoint 
      Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
      Microsoft Office SharePoint Server (MOSS) et Office 2007  
      Microsoft Sharepoint 2010