Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Dec 17
Office 365 – Azure AD Connect Preview installation

Following my previous announcing the preview of the new version of Azure AD Connect which will replace the current DirSync tool for Office 365, here is a post detailing the installation of the preview.

As said in my previous post, this version can be downloaded from the Connect web site (http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949)

For this installation, I reused the same server which is already hosting my DIrSync instance for Office 365, as well as the Yammer DirSync. I did this to test the upgrade (if there is one Smile) from DirSync to Azure AD Connect. I also already have an ADFS in place with a Web Application Proxy.

Upgrade from DirSync

So, I started to try to upgrade from DirSync (version 1.0.6862 – so not the latest version but not too old).

First step, accept the EULA – simple Smile

image

Then, the setup analyze the server – this when the trouble can appears

imageimage

It seems the check passed as I got the request to enter my Office 365/Azure Active Directory credentials – don’t forget, this is still a global administrator credentials

image

For the propose of this post, I also first try with a NON global administrator account – it’s a preview and just wanted to check/get the error Smile

,,, and it seems it passes even if this account is NOT a global administrator and I reached the next step which displayed the Express Settings proposed by the tool regarding my current state (single AD Forest BUT it does not detect my ADFS install).

image

So I reassigned the global administrator role and tried the Custom step.

Custom Settings

After hitting the Customize button to configure my self the settings, I got the Single Sign On experience and had to choose between ADFS or Password Sync. If you move over the question mark, you will get a quick explanation of each option

image

So, the next steps followed the choice of Password Sync

So then you have to define the Active Directory (as it’s based on AD Connect you can add multiple AD Forest) or a NON AD-LDAP directory to synch.

image

Then you have to select which features you want to enable: Exchange Hybrid and/or Password Right Back (remember for this last feature you need to have an Azure Active Directory Premium)

image

Then you have to define how your users are represented; this is important in case of you are synching multiple directory and if your user accounts are present in both directory

image

User present in multiple directory

You have more choice here; including the option to use a custom attribute

image

Then this step is common to both option, you can define how to link both cloud and on premises user object

image

This is it, the setup can be completed (and I will see if the upgrade is possible and working as expected)

imageimageimage

And…. it failed with the error Unable to install the synchronization service.

So I will uninstall my DirSync instance.

Fresh Install

As it is not possible to upgrade from DirSync to this preview, I uninstalled the DirSync instance and tried again.

The setup process is exactly the same anyway Smile

The good news is the setup detects that a previous execution has already been done with some configuration and propose to keep it or start over

image

The wizard has some sort off minor bug here as when it starts the configuration, the main windows is kept in front while a new one displaying all the progress is hidden behind (obviously this should be the same window)

image

image

Then as usual you can open the console to select/unselect the OU to be synchronized (this time this is located below C:\Program Files\Microsoft Azure AD Sync\UIShell) and the connectors name is using either the tenant name for the Azure AD or the directory name for the on premises

In the meantime, there is no more MSOL account created and used to synchronize your AD; it finally use the account you defined during the configuration (so do not use anymore the administrator account Smile)

image

To complete, open the Scheduled Tasks console and enable the tasks created during the installation called Azure AD Sync Scheduler

Dec 17
Azure – Azure backup now supports Windows client

After the server side, Microsoft has published an update for Windows 7 and 8 clients to allows these clients to take advantage of the Azure service called Azure Backup.

Go there to download and install the package and starts backing up your clients on Azure http://support.microsoft.com/kb/3015072

Dec 16
Office 365 – Office 365 DirSync will be replaced with Azure AD Connect

Microsoft has announced that Azure AD Connect, the new tool to synchronize On Premises Active Directory directories will replace in a very near future the current DirSync tool for Office 365.

As you may be aware, since few months we now have different synchronization tools for Office 365 and Azure Active Directory:

  • Office 365 DirSync, the “old” synchronization tool initially used for Office 365 with single AD Forest
  • Azure AD Connect, the younger one which support the same than DirSync PLUS multi AD Forest, attributes selection…

Since yesterday, a new version of the Azure AD Connect has been available in a public preview which combines both DirSync and Azure AD Connect features.

Read the announcement here http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx

Download the preview here http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949

Enjoy

Dec 09
ADFS 3 / Office 365 – Sign in with Lync mobile app on Android failed

While working on a project to deploy Office 365 with ADFS 3.0, I was running on an issue with the Lync mobile client on Android ONLY; other Lync client did not had the issue (on WIndows, WIndows Phone or iOS).

The issue was the user was not able to sign in on the Lync 2013 mobile client on Android (while Office mobile or web browser access worked fine); the same user account on WIndows, WIndows Phone or iOS worked fine either.

It appeared that (for some unknown reason), a default entry on ADFS and Web Application servers was not there: 0.0.0.0:443.

So the solution was quite simple and has to be executed on both ADFS and Web Application servers:

  • using a command prompt (with the run as administrator), run the first command to get some values (certificate hash and application ID): netsh http show sslcert

it returns all listener available on the servers

image

  • then run the command netsh http add sslcert ipport=0.0.0.0:443 certhash=<replace with the certificate hash value from the frist command> appid={<replace with the application ID from the first command}

 

Et voila

Nov 13
Azure / Office / Office 365 – Support for MFA for Office applications is coming

As you may already know – if not, this is it Smile - Microsoft has introduced and provided Multi Form Factor (MFA) with Office 365, and Azure Active Directory, for some time now. This MFA solution is provided by PhoneFactor – which has been bought since then by Microsoft.

If you don’t know anything about this just take a look here http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618 for On Premises deployment and http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=556 for the Office 365 version.

That said, and while I’m a big fan of this solution, there has been a big hole with it: this was working ONLY for web browser access, Office client (and PowerShell) do not support this additional authentication scheme. The workaround was to setup what it is called an App Password which automatically generated and in my opinion is not so secure as it contains only small cap characters.

After this introduction, here is the GOOD news…. Support for MFA will be available soon for Office client (nothing said about PowerShell support).

If you want to know more and take part of the preview read the announcement here http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/ and join the preview here http://aka.ms/previewauth

Read carefully the announcement has there are some restrictions.

Hopefully I will be able to provide you my feedbacks with this preview soon.

Oct 29
Windows Phone – Updated version of OneDrive (personal)

Today, the OneDrive app for Windows Phone – the personal version – has been updated to the version

image

Ok, I usually don’t post about such mobile apps updates – as they can be frequent, but this is one is interesting as it introduced an interesting new feature.

Indeed, you can now add your OneDrive for Business space into the OneDrive (personal) mobile application

image

If this page does not come when you start OneDrive app after the update, just hit the button on top left (just left of Files menu)

image

Then just enter your Office 365 organization account

imageimage

Once authenticated, your OneDrive for Business will appear in the list of available storage space as well as through the Settings\Accounts menu; as you can see, you can add more than one Office 365 OneDrive for Business space

imageimage

If you want to reach your OneDrive for Business space, you just need to switch by hitting the Files menu shown below your Office 365 account

Oct 27
Windows 10 – Failed to check for new preview build. Please try again. 0x800700EA SOLVED

If you are running the preview version of Windows 10, you may be aware that an updated version is available and should be installed through the Update and Recovery section from the PC Settings in the Charm bar.

Ok, but if you have enabled Media Center this operation will failed with the error code 0x800700EA. I found that is the Media Center feature which cause that issue thanks to the Windows community forum (only place I found exact same issue BUT with no solution except reinstalling without enabling Media Center – as reminder this come with an specific product key).

So as I did not want to reinstall it (even by doing an inplace upgrade), I dug a little and found 2 registry keys have to be updated to allow me getting the updated version of Windows 10.

You have to change the value of the following keys:

  • EditionID, change from ProfessionalWMC to Professional
  • ProductName change from Windows 8.1 Pro with Media Center to Windows 8.1 Pro

These keys are located below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion.

After changing the value of these key, restart the client and go to the Update and Recovery section to get the updated version.

image

Oct 22
Office 365 / SharePoint Online – OneDrive for Business Calculator

I know OneDrive for Business is not completely working (many synchronization issues have been reported, lacked of troubleshooting way…) but when it work, it is really helpful (especially because of the storage space increased up to 1 To recently Smile). I’m myself not a big fan of O4B.

So that said – and because Microsoft is working hard to improve that, there is a useful Excel file which can help in the OneDrive for Business deployment called OneDrive for Business Client Network Bandwidth Calculator – available for download from http://www.microsoft.com/en-us/download/details.aspx?id=44541 (currently in beta)

This spreadsheet will help you to determine the bandwidth consumption for your company when deploying OneDrive for Business.

You can define the number of site, number of user per site, average file size, client type (mobile, PC…) and it will generates a report with graphic to help you understand your needs to provide good user experience (if possible with the current version Smile)

imageimage

Oct 17
Microsoft Azure – Cost Estimation Tool

Microsoft has update his Azure Cost Estimation tool now available at http://www.microsoft.com/en-us/download/details.aspx?id=43376

After his installation, you will be able to scan your on premises environment (running either on a physical server or an hypervisor like Hyper V, SCVVM or ESx) and get an estimation cost for the same environment on Azure

imageimage

As sample, here is a result for an Hyper V 2012 R2 server running 7 VM’s – including SharePoint 2013, Exchange 2013 or Lync 2013 and SQL server

image

Off course you can adjust the costing by changing the Compute Instance

image 

Oct 13
Azure RMS – Deploying Azure Rights Management service connector to use Azure RMS On Premises

As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.

To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.

That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.

Good news Smile, Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.

To do, you just have to

  1. Enable Azure RMS (either on your Office 365 tenant or if you don’t have Office 365 on your Azure tenant),
  2. Implement (if not done yet) directory synchronization with Azure Active Directory Services (you know, the well know DirSync for Office 365 or the new tool AAD Connect – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=631)
  3. Optionally but recommended (also if not yet done) implement federation using ADFS
  4. And finally install the connector and configure your On Premises systems to use Azure RMS (SharePoint, Exchange or file shares)

 

I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog Smile. So, let start with the connector installation and systems configuration.

 

Download and Install the Azure RMS connector

There is 3 files available for download

    • GenConnectorConfig.ps1 – PowerShell script to configure authorized servers to use the RMS connector (run either locally on the authorized server or using a Group Policy)
    • RMSConnectorAdminToolSetup_x86.exe – install the RMS connector console on 32 bits client (not the 32 bits version of the connector)
    • RMSConnectorSetup.exe – the connector setup itself, or the remote console

The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.

During the installation, IIS and all required features will be installed if not already installed on the server.

You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use

This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.

The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered

NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.

NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account

imageimage

imageimage

 

Authorizing the use of Azure RMS Connector

Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.

At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu

image

On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.

image

When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account

image

Recommendations

  • For Exchange servers, use the default Exchange Servers group to automatically allow all Exchange servers
  • For SharePoint servers, use the service account used to run the SharePoint application pool
  • For file servers, use the server account or a dedicated groups containing all file servers to be allowed to use the connector

 

Configure RMS Connector to use HTTPS

As the RMS connector uses an IIS web site, by default it is using HTTP traffic; as for any sensitive HTTP communications, it is recommended to use HTTPS.

To enable RMS connector for HTTPS use, just open the IIS console and bind the HTTPS port (443) with a certificate; you can either use your internal Certification Authority or a public one.

You can also configure a binding using a generic URL instead of the server name; this is required if you plan to use load balancing for high availability. This is also recommended even if you deploy one RMS connector server.

Do not change this URL after you have configure Exchange, SharePoint or file servers to use RMS connector.

 

Configure Exchange and/or SharePoint servers

Exchange Server

Exchange 2010 SP3 with CU 6 or Exchange 2013 CU 3 (or later) is supported for the RMS connector use.

You need to install an updated version of the RMS client if you are running Windows Server 2008 or Windows Server 2008 R2 to support RMS Cryptographic Mode 2 (Windows Server 2012/2012 R2 already support it)

Run the PowerShell script to configure Exchange server to use the connector (don’t forget, always run the script using the Run as administrator).

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

It will ask you for the RMS connector URL (your RMS connector server(s))

image

Once this has been completed, you have to enable Exchange for RMS – see http://technet.microsoft.com/en-us/library/dd351212(v=exchg.150).aspx

By the way, to enable RMS on Outlook Web Access for On Premise you have to run the following command on Exchange Set-OWAVirtualDirectory –IRMEnabled $true

 

SharePoint Server

SharePoint 2010 or SharePoint 2013 are supported for the RMS connector use.

As for Exchange Server, if you are not running Windows Server 2012/2012 R2, you need to update the RMS client

Run the PowerShell scripts to configure SharePoint server to use the connector (don’t forget, always run the script using the Run as administrator)

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

As for Exchange, once this has been completed, you have to setup SharePoint for RMS use – see http://technet.microsoft.com/en-us/library/hh545608(v=office.14).aspx

 

Configure the connector to use a proxy server

If you are using a proxy server, you may have to configure the RMS connector to use this proxy

Unfortunately, there is no interface available to do so; you have to manually update the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector and add a String key called ProxyAddress with the proxy settings as value (like http://proxyserver:8080)

 

Configure Azure RMS privileged account

To configure privileged Azure RMS account, you need to use the PowerShell module for Azure RMS – available at http://technet.microsoft.com/en-US/library/jj585012.aspx

Then run the following commands

  • Connect-AadrmService and provide an existing administrator credentials
  • Add-AadrmRoleBasedAdministrator -EmailAddress <email address> -Role "GlobalAdministrator"
1 - 10Next

 ‭(Hidden)‬ Blog Tools

 Copyright

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010