Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Aug 26
System Center Configuration Manager – Integrate your Windows Store for Business

The latest update for System Center Configuration Manager 2012 R2 (build 5.00.8412.1000 – released on August 2nd, 2016) has added the ability to integrate your Corporate Windows Store into SCCM.

The ability to deploy Universal Apps using SCCM has been introduced some time ago but you were obliged to use the Offline Licensing and create an application in SCCM prior to the deployment.

Your client device must run Windows 10 build 1511 or later (build released in November 2015)

First thing, off course you need to update your SCCM infrastructure with the reference update.

If this already done, open your SCCM administration console and go to Administration\Cloud Services\Updates and Servicing\Features to turn on (the default is Off) the Windows Store for Business Integration feature and confirm the activation

imageimage

Starting from then you will be able to directly add applications from your Windows Store for Business.

Register your SCCM infrastructure

To be able to continue the configuration process, you need to register your SCCM infrastructure on Azure Active Directory

Connect to your Azure portal (https://manage.windowsazure.com) and access the Applications section your Azure AD tenant to Add a new application

image

Choose to add an Application my organization is developing

image

Name the application (like SCCM for example) and select the Web Application type

image

Define the sign in and app ID url’s – the values you defined do not really matter as these will no be really used; this needed to complete the process and then be able to get a key

image

Finally, configure the added application to generate a key using the keys section on then select the duration of the key

imageimage

Once the key has been generated, stay on this page until you complete the next steps. If you do, you will not be able to get the key after.

Define SCCM as management tool

You then need to connect to your Windows Store for Business (https://businessstore.microsoft.com) to define the management tool used to deploy the applications, search using the name of the application you added during the previous step and make it active

imageimage

While you are on your Windows Store for Business, you also need to enable the Show offline licensed apps option available through the Manage\Account Information section

imageimage

Adding Windows Store for Business account

Once the feature has been successfully added, close the console and re open it to go back to Administration\Cloud Services section, you should see the Windows Store for Business section

You can only add one Windows Store for Business account

image

Right click on it and choose to add Windows Store for Business Account; this where we will need the key created during the previous step

image

Just follow the wizard to define the credentials to connect to the store

You will need to define your Azure AD tenant (the one on which you have added your SCCM), the client ID and the key

image imageimage

Click to the Verify button to ensure everything is correct and finally define the location where to save Windows apps for Offline deployment

Finally you can refine the language(s) available

imageimage

You Windows Store for Business is now added

image

IMPORTANT this where you will have to go when the application key will expire to change it

image

Deploy Windows Universal Apps

Your Windows Store for Business has been now added and you can deploy the application you have in store (see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=793 for more information on how to get application on your store, ensure you select the Offline license type)

Go to the Software Library\Application Management\License Information for Store Apps section and add a new application for deployment

Right click on the application you want to deploy and Create application, then follow the well known create application wizard.

image 

Aug 26
SCCM – Integrate OMS with your SCCM infrastructure

The latest update of System Center Configuration Manager 2012 R2 (build 5.00.8412.100 published on August 2016) has added a prerelease feature to use OMS to synch your monitoring logs.

Off course, to take advantage of this feature, you need to have an Operations Management Suite tenant (https://www.mms.microsoft.com)

Enable Prerelease Features

To take advantage of this prerelease feature, you first need to enable the activation of prerelease from the Administration\Site Configuration\Sites\Hierarchy Settings

image

 

Enable Microsoft OMS Connector

From the SCCM administration console, access the Administration\Cloud Services\Updates and Servicing\Features and turn on the Pre-release – Microsoft Operations Management Suite (OMS) feature

image

Once activated, close the console and re open it to see the OMS Connector

image

 

Register your SCCM infrastructure

You need to perform this step ONLY if you did not already have registered your SCCM infrastructure; you may already have done this to integrate your Windows Store for Business store. You will need anyway to configure the permission to grant the correct rights (next step).

To be able to continue the configuration process, you need to register your SCCM infrastructure on Azure Active Directory

Connect to your Azure portal (https://manage.windowsazure.com) and access the Applications section your Azure AD tenant to Add a new application

image_thumb1

Choose to add an Application my organization is developing

image_thumb2

Name the application (like SCCM for example) and select the Web Application type

image_thumb3[1]

Define the sign in and app ID url’s – the values you defined do not really matter as these will no be really used; this needed to complete the process and then be able to get a key

image_thumb4

Finally, configure the added application to generate a key using the keys section on then select the duration of the key

image_thumb5image_thumb6

Once the key has been generated, stay on this page until you complete the next steps. If you do, you will not be able to get the key after.

  

Create the OMS workspace on Azure

Connect to your Azure management portal (https://portal.azure.com) and add a resource; if you already have an OMS workspace, just search for it and go to the step to grant the permission

Search for Log Analytics (OMS) and create the workspace

image

Create or link an existing OMS workspace

image

Then fill the additional settings like resource group, location…

image

Grant Permission to Connect to the OMS Workspace

Open the Log Analytics (OMS) blade and open your workspace

image

Click on the Access management

image

Add a contributor role and add the user

image

 

Configure OMS Connector

From the administration console, browse to Administration\Cloud Services\OMS Connector and right click to create the connector – from the top tier site in your hierarchy

image

Just follow the wizard to configure the tenant, client ID and key for the application added previously

imageimageimage_thumb11[1]

Click the Verify button to ensure everything is correct; this will show Successfully verified

image

During the next step, you need to define your Azure subscription, the Azure resource group and the OMS workspace; you need to manually fill these fields (as this is a prerelease, we can expect this could be prepopulated at a later stage). If you have multiple Azure subscription, it is recommended to use the one you are already using with OMS (you can check it from the OMS portal, Settings\Accounts\Azure Subscription section) and select the device collection you want to synch with OMS – you can change it anytime later

image

The collection will then be shown in the OMS portal helping you monitoring your device collections.

Install the OMS Agent on the SCCM Server with the Connection Point

You must install the OMS agent on the server hosting the connection point to OMS

See https://azure.microsoft.com/en-us/documentation/articles/log-analytics-windows-agents/#download-the-agent-setup-file-from-oms

 

Import the collection on OMS

Connect to your OMS workspace portal (https://mms.microsoft.com) and go to the Settings

You should see an SCCM tab as part of the Computer Groups section and activate the Import Configuration Manager collection membership

image 

Aug 13
Azure – Azure RemoteApp is being retired

UPDATE 13/08

You can sign in to the Citrix TechPreview (scheduled for Q4 and GA 2017) here https://www.citrix.com/global-partners/microsoft/remote-app.html

Microsoft has announced the retirement of the Azure Remote App solution.

Azure RemoteApp was the ability to publish applications and resources using Remote Desktop technology through Azure, either in full cloud mode (ie application and applications/resources hosted on Azure) or in hybrid mode (ie using Azure to access applications/resources hosted either in Azure or On Premises).

The Azure RemoteApp is not anymore available for sale and if you are already using it, you can still continue to use it for one more year while you look for alternative solutions.

See https://blogs.technet.microsoft.com/enterprisemobility/2016/08/12/application-remoting-and-the-cloud/  for the official announcement and alternative solutions.

Aug 05
Office 365 / Exchange – Convert your distribution lists to Office 365 Groups

A new feature is being rolled out to allow you to convert your distribution lists to Office 365 Groups.

 

What can be converted to Office 365 Groups

The following table defines what can be converted (as of today – August 5th, 2016)

Distribution Group Types Eligibility
Mail enabled security group. Not eligible

On-premise managed distribution group. (synched)

Not eligible

Nested distribution groups. Distribution group either has child groups or is a member of another group.

Not eligible

Moderated distribution group

Not eligible

Distribution groups with send on behalf settings

Not eligible

Distribution groups hidden from address lists

Not eligible

Distribution groups with member RecipientTypeDetails other than UserMailbox, SharedMailbox, TeamMailbox, MailUser

Not eligible

Distribution groups with member join or depart restriction as Closed

Eligible. Converted to a private Office 365 Group.

Distribution groups with custom delivery status notifications. ReportToManager = true, ReportToOriginator = false ReportToManager = false, ReportToOriginator = false

Eligible. Office 365 Groups don't understand these properties, and delivery status notifications are always sent to the person that sent the email.

Convert a distribution group

Logon to your Exchange Online ECP (https://outlook.office365.com/ecp/) and reach the Recipients\Groups section

Select the distribution group you want to convert to Office 365 – please refer to the table – and click the Upgrade to Office 365 Groups button

Don’t worry, if the distribution list is NOT eligible, this button will not be available

image_thumb

Confirm you want to convert to Office 365 Groups – thankfully if anything goes wrong, the DL will not be changed

image_thumb5

image_thumb1

Then the conversion may take some time

image_thumb4

Please note it may take some time also to refresh the Office 365 Admin portal; this means you may see twice your DL/Office 365 groups – one distribution list and one Office 365 Groups; if you try to select the former distribution group you will got an error
image_thumb7

image_thumb6 

Aug 05
Office 365 – Office 365 Admin Universal App is GA

The Office 365 Admin Universal App has reached general availability.

Google_play      IOS_Appstore      Windows_Store

If you have been running the beta version (Office 365 Admin Universal Beta) you need to install the released version.

If you have been running the ‘old’ version of the Office 365 Admin app on Windows 10, the app will be updated -  if not, check the app store to ensure you have enable automatic updates or to manually check for update.

If you are using Windows Phone 8.1, the app will continue to run but will not receive any further update.

Jul 26
Skype for Business – Getting MAPI unavailable message after switching to UCS

If you have configured you Skype for Business infrastructure to use UCS (Unified Contact Store) or if you have requested to get it enabled on Office 365 (yes, you do not have UCS activated by default on Office 365 and you need to open a SR to get it), you may face the following issue.

With Skype for Business client, you may have some notification

  • When displaying the Configuration Information
  • image

MAPI Information;Your Outlook profile is not configured correctly. Contact your support team with this information.;MAPI unavailable;
EWS Information;;EWS Status OK;   
image 

  • Delegate functionality may be broken

If so, there is 2 plan: 1 simple, 1 a little bit more complex

 

Simple Plan – Deploy the July 5th 2016 fix

This is very simple, just download and deploy the fix from

However this may not work, especially if you have Office 2013/Office 2016 Click To Run installation. The fix will not detect any product for which the fix must be applied.

You can try to force your Click To Run install to get updated but it seems the fix is not yet available neither (I did and the issue was not solved)

So, let’s take a look at the more complex action

More Complex – Registry fix

Launch the registry editor (regedit) and browse to the following key

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles and open your default profile

Then locate the subkey named 9375CFF0413111d3B88A00104B2A6676

Open the subkey and check each of the key until you found the one with your email address shown in the Account Name value

imageimage 

Take the value from the Service UID and then locate the subkey with the same value below the Profiles tree – like in this example the Service UID value is 980e871e9d8a8644b50ddd6c2c583715, the subkay to locate will be HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\980e871e9d8a8644b50ddd6c2c583715

Take the value from the 01023d0d binary value and repeat the same search

image 

In this example, the value is 2c5e812328c4cb42bfbd2be3d360e7b3 so the subkey to search is HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\2c5e812328c4cb42bfbd2be3d360e7b3

There you need to create a new String value named 001e6603

image 

Edit this new string value with the value of your mailbox LegacyDN – you can get the LegacyDN with the Test e-mail autoconfiguration from Outlook from the XML tab

image 

Close your Sfb/Lync client and restart it. You should now get

UCS Connectivity State;Exchange connection Active;--;
MAPI Information;MAPI Status OK;MAPI Status OK;

image 

Jul 26
Microsoft Authenticator – New version coming up on August 15th

A new version of the Microsoft Authenticator is coming on August 15th.

As you may know, there has been multiple and different apps to manage MFA (Multi Factor Authentication) from Microsoft: one for Microsoft Account and one for Microsoft Corporate Account (Azure AD, Office 365…)

on August 15th, this will not be the case anymore; both account types will be supported with this new Authenticator app (finally Smile)

In addition of this consolidation, you will also get the app available on wearable devices (like Apple Watch), support for finger prints (on iPhone and Android devices) or certificate based authentication support

Stay tuned

Jul 22
Azure – Azure AD Connect Health for domain controllers

Microsoft has just released the preview for Azure AD Connect Health for Windows Servers AD. This feature is similar to the health agent used with Azure AD Connect to monitor the health of your directory synchronization instance with Azure AD and your ADFS but for On Premises Active Directory Domain Controllers.

To be able to take advantage of this new feature you need to have an Azure AD premium and download/install the new agent from http://go.microsoft.com/fwlink/?LinkID=820540

Setup the Azure Connect Health Agent for DC

Once you have downloaded the agent, you need to install it on all of your domain controllers.

This is a pretty straight forward installation.

NOTE the agent can be installed on domain controllers running Windows Server 2008 R2, 2012 and 2012 R2

Important point, there is no server restart.

Run the agent setup

image

Follow the wizard to install the agent

imageimageimage

Once the setup is complete, you need to configure the agent which is basically an automated process to register the agent and define the account to be used to connect to AD Connect Health

imageimageimageimage

That’s it, the agent in now installed and will start gathering monitoring data.

You can check if the following services have been installed and are in a running state

  • AzureADConnectHealthAddsInsights
  • AzureADConnectHealthAddsMonitor

image

View Reports

Connect to your Azure portal (https://portal.azure.com/) and access the Azure AD Connect Health dashboard

image

Then look for Active Directory Domain Services dashboard; you will see the forest(s) monitored and the number of agent deployed

image

Once enough data will be gathered you will have an insight of your On Premises AD health, including authentication requests, replication state…

imageimageimage

Jul 09
Security – Error after upgrading Multi Factor Authentication Server to version 7

If you are already using Microsoft Azure MFA with the on premises solution (Multi Factor Authentication Server) and want (or have already) to upgrade to the latest version (which is version 7.0.2 at the time of writing this post), you may experience the following error if you have integrated with ADFS (especially when you restart your ADFS services) after you have upgraded your ADFS connector.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          7/9/2016 10:55:08 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:         
Computer:     
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy device TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly 'MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

This is because the resource has been renamed

To solve the issue, you need to unregistered the previous version of the ADFS connector and then register the new one.

Disable MFA in ADFS

If you already have integrated MFA with your ADFS, this means you are using it (or should Smile)

Before unregistering the “old” version, you need to disable it from your ADFS console, Authentication Policies

image

Unregister the previous version

Open a PowerShell prompt and run the following command

Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication

If you did not disable the connector from ADFS first, you will get this error

image

Unregister-AdfsAuthenticationProvider : PS0099: The specified authentication provider cannot be removed from the
policy store.  The provider is currently specified in the additional authentication providers list. Remove the
provider from the additional authentication providers list.
At line:1 char:1
+ Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthenticatio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Unregister-AdfsAuthenticationProvider], ArgumentException
    + FullyQualifiedErrorId : PS0099: The specified authentication provider cannot be removed from the policy store.
   The provider is currently specified in the additional authentication providers list. Remove the provider from the
  additional authentication providers list.,Microsoft.IdentityServer.Management.Commands.RemoveExternalAuthProviderC
  ommand

Once completed, restart the ADFS service

image

Register the new version

Run the PowerShell script provided with MFA to register the new version; the script is located in the C:\Program Files\Multi-Factor Authentication Server folder and is called Register-MultiFactorAuthenticationAdfsAdapter.ps1

image

Once completed, restart again your ADFS services

Re enable the connector

Re open you ADFS console and browse to the Authentication Policies to re enable the connector; you will notice the name has been changed to Azure Multi-Factor Authentication Server

image 

Jul 06
Azure / Office 365 – Conditional Access is now available in preview

Azure AD Conditional Access policies for Office 365 (Exchange and SharePoint Online) is now available in preview; additional services may be supported (see at the end of this post).

This will make it easier to request multi-factor authentication when accessing Office 365 services. Until then, either you had to manage it at the ADFS level if you were using federated authentication or you were not able to define such conditional access if you were using Office 365 authentication.

Requirements

Before setting up Azure AD Conditional Access policies you need to ensure that your devices will be supported:

Setup Conditional Access Policies (Cloud Authentication)

Logon to your Azure administration portal (“old” version) using your Office 365 admin account (or Azure AD admin account) - https://manage.windowsazure.com

Access your Office 365 directory and open the Applications tab

image

Select Office 365 Exchange Online

image

Then open the Configure options

image

Active the Multi Factor Authentication and Location Based Access Rules

image

And define your requirements

image

Repeat with Office 365 SharePoint Online

You can also configure Yammer, Visual Studio Online, Office 365 Customer Success Center, CRM Online, Azure RemoteApp, Azure OMS

1 - 10Next

 ‭(Hidden)‬ Blog Tools

 Copyright

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010