Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Nov 13
Azure / Office / Office 365 – Support for MFA for Office applications is coming

As you may already know – if not, this is it Smile - Microsoft has introduced and provided Multi Form Factor (MFA) with Office 365, and Azure Active Directory, for some time now. This MFA solution is provided by PhoneFactor – which has been bought since then by Microsoft.

If you don’t know anything about this just take a look here http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618 for On Premises deployment and http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=556 for the Office 365 version.

That said, and while I’m a big fan of this solution, there has been a big hole with it: this was working ONLY for web browser access, Office client (and PowerShell) do not support this additional authentication scheme. The workaround was to setup what it is called an App Password which automatically generated and in my opinion is not so secure as it contains only small cap characters.

After this introduction, here is the GOOD news…. Support for MFA will be available soon for Office client (nothing said about PowerShell support).

If you want to know more and take part of the preview read the announcement here http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/ and join the preview here http://aka.ms/previewauth

Read carefully the announcement has there are some restrictions.

Hopefully I will be able to provide you my feedbacks with this preview soon.

Oct 29
Windows Phone – Updated version of OneDrive (personal)

Today, the OneDrive app for Windows Phone – the personal version – has been updated to the version

image

Ok, I usually don’t post about such mobile apps updates – as they can be frequent, but this is one is interesting as it introduced an interesting new feature.

Indeed, you can now add your OneDrive for Business space into the OneDrive (personal) mobile application

image

If this page does not come when you start OneDrive app after the update, just hit the button on top left (just left of Files menu)

image

Then just enter your Office 365 organization account

imageimage

Once authenticated, your OneDrive for Business will appear in the list of available storage space as well as through the Settings\Accounts menu; as you can see, you can add more than one Office 365 OneDrive for Business space

imageimage

If you want to reach your OneDrive for Business space, you just need to switch by hitting the Files menu shown below your Office 365 account

Oct 27
Windows 10 – Failed to check for new preview build. Please try again. 0x800700EA SOLVED

If you are running the preview version of Windows 10, you may be aware that an updated version is available and should be installed through the Update and Recovery section from the PC Settings in the Charm bar.

Ok, but if you have enabled Media Center this operation will failed with the error code 0x800700EA. I found that is the Media Center feature which cause that issue thanks to the Windows community forum (only place I found exact same issue BUT with no solution except reinstalling without enabling Media Center – as reminder this come with an specific product key).

So as I did not want to reinstall it (even by doing an inplace upgrade), I dug a little and found 2 registry keys have to be updated to allow me getting the updated version of Windows 10.

You have to change the value of the following keys:

  • EditionID, change from ProfessionalWMC to Professional
  • ProductName change from Windows 8.1 Pro with Media Center to Windows 8.1 Pro

These keys are located below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion.

After changing the value of these key, restart the client and go to the Update and Recovery section to get the updated version.

image

Oct 22
Office 365 / SharePoint Online – OneDrive for Business Calculator

I know OneDrive for Business is not completely working (many synchronization issues have been reported, lacked of troubleshooting way…) but when it work, it is really helpful (especially because of the storage space increased up to 1 To recently Smile). I’m myself not a big fan of O4B.

So that said – and because Microsoft is working hard to improve that, there is a useful Excel file which can help in the OneDrive for Business deployment called OneDrive for Business Client Network Bandwidth Calculator – available for download from http://www.microsoft.com/en-us/download/details.aspx?id=44541 (currently in beta)

This spreadsheet will help you to determine the bandwidth consumption for your company when deploying OneDrive for Business.

You can define the number of site, number of user per site, average file size, client type (mobile, PC…) and it will generates a report with graphic to help you understand your needs to provide good user experience (if possible with the current version Smile)

imageimage

Oct 17
Microsoft Azure – Cost Estimation Tool

Microsoft has update his Azure Cost Estimation tool now available at http://www.microsoft.com/en-us/download/details.aspx?id=43376

After his installation, you will be able to scan your on premises environment (running either on a physical server or an hypervisor like Hyper V, SCVVM or ESx) and get an estimation cost for the same environment on Azure

imageimage

As sample, here is a result for an Hyper V 2012 R2 server running 7 VM’s – including SharePoint 2013, Exchange 2013 or Lync 2013 and SQL server

image

Off course you can adjust the costing by changing the Compute Instance

image 

Oct 13
Azure RMS – Deploying Azure Rights Management service connector to use Azure RMS On Premises

As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.

To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.

That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.

Good news Smile, Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.

To do, you just have to

  1. Enable Azure RMS (either on your Office 365 tenant or if you don’t have Office 365 on your Azure tenant),
  2. Implement (if not done yet) directory synchronization with Azure Active Directory Services (you know, the well know DirSync for Office 365 or the new tool AAD Connect – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=631)
  3. Optionally but recommended (also if not yet done) implement federation using ADFS
  4. And finally install the connector and configure your On Premises systems to use Azure RMS (SharePoint, Exchange or file shares)

 

I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog Smile. So, let start with the connector installation and systems configuration.

 

Download and Install the Azure RMS connector

There is 3 files available for download

    • GenConnectorConfig.ps1 – PowerShell script to configure authorized servers to use the RMS connector (run either locally on the authorized server or using a Group Policy)
    • RMSConnectorAdminToolSetup_x86.exe – install the RMS connector console on 32 bits client (not the 32 bits version of the connector)
    • RMSConnectorSetup.exe – the connector setup itself, or the remote console

The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.

During the installation, IIS and all required features will be installed if not already installed on the server.

You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use

This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.

The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered

NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.

NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account

imageimage

imageimage

 

Authorizing the use of Azure RMS Connector

Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.

At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu

image

On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.

image

When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account

image

Recommendations

  • For Exchange servers, use the default Exchange Servers group to automatically allow all Exchange servers
  • For SharePoint servers, use the service account used to run the SharePoint application pool
  • For file servers, use the server account or a dedicated groups containing all file servers to be allowed to use the connector

 

Configure RMS Connector to use HTTPS

As the RMS connector uses an IIS web site, by default it is using HTTP traffic; as for any sensitive HTTP communications, it is recommended to use HTTPS.

To enable RMS connector for HTTPS use, just open the IIS console and bind the HTTPS port (443) with a certificate; you can either use your internal Certification Authority or a public one.

You can also configure a binding using a generic URL instead of the server name; this is required if you plan to use load balancing for high availability. This is also recommended even if you deploy one RMS connector server.

Do not change this URL after you have configure Exchange, SharePoint or file servers to use RMS connector.

 

Configure Exchange and/or SharePoint servers

Exchange Server

Exchange 2010 SP3 with CU 6 or Exchange 2013 CU 3 (or later) is supported for the RMS connector use.

You need to install an updated version of the RMS client if you are running Windows Server 2008 or Windows Server 2008 R2 to support RMS Cryptographic Mode 2 (Windows Server 2012/2012 R2 already support it)

Run the PowerShell script to configure Exchange server to use the connector (don’t forget, always run the script using the Run as administrator).

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

It will ask you for the RMS connector URL (your RMS connector server(s))

image

Once this has been completed, you have to enable Exchange for RMS – see http://technet.microsoft.com/en-us/library/dd351212(v=exchg.150).aspx

By the way, to enable RMS on Outlook Web Access for On Premise you have to run the following command on Exchange Set-OWAVirtualDirectory –IRMEnabled $true

 

SharePoint Server

SharePoint 2010 or SharePoint 2013 are supported for the RMS connector use.

As for Exchange Server, if you are not running Windows Server 2012/2012 R2, you need to update the RMS client

Run the PowerShell scripts to configure SharePoint server to use the connector (don’t forget, always run the script using the Run as administrator)

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

As for Exchange, once this has been completed, you have to setup SharePoint for RMS use – see http://technet.microsoft.com/en-us/library/hh545608(v=office.14).aspx

 

Configure the connector to use a proxy server

If you are using a proxy server, you may have to configure the RMS connector to use this proxy

Unfortunately, there is no interface available to do so; you have to manually update the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector and add a String key called ProxyAddress with the proxy settings as value (like http://proxyserver:8080)

 

Configure Azure RMS privileged account

To configure privileged Azure RMS account, you need to use the PowerShell module for Azure RMS – available at http://technet.microsoft.com/en-US/library/jj585012.aspx

Then run the following commands

  • Connect-AadrmService and provide an existing administrator credentials
  • Add-AadrmRoleBasedAdministrator -EmailAddress <email address> -Role "GlobalAdministrator"
Oct 10
Office 365 / Exchange Online – New way to send attachment when using Outlook Web Access

As announced some time ago, Microsoft has one again introduced a new “simple” feature on Outlook Web Access hosted on Office 365.

This new feature now allows you not to send an attachment but a link to your OneDrive for Business space where the attachment is stored.

There is nothing to do your side – except wait for the deployment of this feature on your tenant.

Then, you only have to logon to your Exchange Online mailbox using Outlook Web Access (OWA) at https://outlook.office365.com, create a new email and add an attachment using the Attachments or OneDrive files menu as shown below

image

Choosing the OneDrive option opens a new window to let you choose the document to attach from your OneDrive – NOTE you can only select ONE file at a time

image

There is 4 locations displayed:

  • Recent allows you to find all recent (uploaded/updated) document wherever they are located in SharePoint Online – including site collections “outside” of your OneDrive for Business space
  • My Files allows you to find documents stored on your OneDrive for Business space
  • Shared with me finds all documents you have access either directly (you are the owner – OneDrive, site collections…) or you have been granted access to
  • Computer allows you to locate a file from your client and upload it on your OneDrive for Business space

If you choose Computer, you will be asked if you want to upload on OneDrive for Business or attach it as a classic attachment

image

When you choose Upload and Share with OneDrive, a new folder is automatically created (the first time) on your OneDrive for Business space called Email attachments where all uploaded attachments will be located

image

NOTE To and CC recipients are getting automatically permission to read and edit the attachment stored on your OneDrive. You can change the permission to restrict to read only using the menu

    

imageimage

Here is what the recipient will receive – as you can see there is NO more attachment but instead a link to your OneDrive

imageimage

This new way to send attachment is ONLY available from OWA using a web browser or using OWA apps for Android or iPhone.

    

NOTE this feature was in someway already available BUT you were obliged to install an Outlook App from the Office Store, as shown below

image 

Oct 04
Office 365 / Exchange Online – One Time Password is now available for encrypted message

Back in February 2014, Microsoft has implemented a new security feature on Exchange Online called Message Encryption (see http://blogs.office.com/2013/11/21/introducing-office-365-message-encryption-send-encrypted-emails-to-anyone/).

But this feature required to use a Microsoft account to decrypt the message. With the service upgrade; this now possible to bypass this requirement and use a One Time Password (OTP) to decrypt the received message.

For the purpose of this post, I send an email which has been encrypted by the Message Encryption to a Gmail address.

Here is how the encrypted message now looks like when viewed by the recipient

image 

So you have to open the HTML attachment (message.html) and you will see at the bottom a link to request on One Time Password to open the message

image 

You may get a warning pop-up to notify you that you are going to be redirected

Then you are redirected to an Office 365 page which is waiting for the One Time Password which has been sent to the recipient address

image 

Here is the message received with the One Time Password, valid for 15 min

image 

After filling the OTP form with the One Time Password generated, the recipient is able to read the message. please note the banner and the footer which remind that the message has been encrypted

imageimage 

Oct 02
Windows 10 – Multiple desktops / Task Views

With Windows 10 Technical Preview, Microsoft has introduce a new feature called Task View which is in fact a way to use multiple different desktop running different applications – both Windows App or Desktop App.

image 

This feature has been there for a long time on Linux or OSx, and has been there too long time ago on Windows XP with a PowerToy Smile

To use it, just hit the Task View icon in the taskbar image, this will get you to the task view interface which displays the main desktop view (the one started when you logon) then you just have to hit the + Add a desktop (or the + sign if you already have another virtual desktop) to create a new virtual desktop/task view and start your application; repeat as many time you need

imageimage 

If you close the virtual desktop/task view, this does not close the applications currently running in this view. These applications go back to the main desktop

Oct 02
Windows 10 – Upgrade Surface Pro 3 from Windows 8.1

A quick post to say the upgrade process from Windows 8.1 on Surface Pro 3 (core i7 / 8 G RAM) went very smoothly and was very quick.

After about 15 min, Windows has been upgraded to Windows 10 with no issue. Everything from the application (both Windows App or Desktop App), content (cached from OneDrive and OneDrive for Business) is still there and correctly configured.

Good news too, you don’t have to suspend the Bitlocker Protection, the install process does it for you, meaning you don’t have to stay around while the upgrade is in progress (as there are few restarts Smile).

Windows-8-logoimage

1 - 10Next

 ‭(Hidden)‬ Blog Tools

 Copyright

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010