Following my previous announcing the preview of the new version of Azure AD Connect which will replace the current DirSync tool for Office 365, here is a post detailing the installation of the preview.
As said in my previous post, this version can be downloaded from the Connect web site (http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949)
For this installation, I reused the same server which is already hosting my DIrSync instance for Office 365, as well as the Yammer DirSync. I did this to test the upgrade (if there is one ) from DirSync to Azure AD Connect. I also already have an ADFS in place with a Web Application Proxy.
So, I started to try to upgrade from DirSync (version 1.0.6862 – so not the latest version but not too old).
First step, accept the EULA – simple
Then, the setup analyze the server – this when the trouble can appears
It seems the check passed as I got the request to enter my Office 365/Azure Active Directory credentials – don’t forget, this is still a global administrator credentials
For the propose of this post, I also first try with a NON global administrator account – it’s a preview and just wanted to check/get the error
,,, and it seems it passes even if this account is NOT a global administrator and I reached the next step which displayed the Express Settings proposed by the tool regarding my current state (single AD Forest BUT it does not detect my ADFS install).
So I reassigned the global administrator role and tried the Custom step.
After hitting the Customize button to configure my self the settings, I got the Single Sign On experience and had to choose between ADFS or Password Sync. If you move over the question mark, you will get a quick explanation of each option
So, the next steps followed the choice of Password Sync
So then you have to define the Active Directory (as it’s based on AD Connect you can add multiple AD Forest) or a NON AD-LDAP directory to synch.
Then you have to select which features you want to enable: Exchange Hybrid and/or Password Right Back (remember for this last feature you need to have an Azure Active Directory Premium)
Then you have to define how your users are represented; this is important in case of you are synching multiple directory and if your user accounts are present in both directory
You have more choice here; including the option to use a custom attribute
Then this step is common to both option, you can define how to link both cloud and on premises user object
This is it, the setup can be completed (and I will see if the upgrade is possible and working as expected)
And…. it failed with the error Unable to install the synchronization service.
So I will uninstall my DirSync instance.
As it is not possible to upgrade from DirSync to this preview, I uninstalled the DirSync instance and tried again.
The setup process is exactly the same anyway
The good news is the setup detects that a previous execution has already been done with some configuration and propose to keep it or start over
The wizard has some sort off minor bug here as when it starts the configuration, the main windows is kept in front while a new one displaying all the progress is hidden behind (obviously this should be the same window)
Then as usual you can open the console to select/unselect the OU to be synchronized (this time this is located below C:\Program Files\Microsoft Azure AD Sync\UIShell) and the connectors name is using either the tenant name for the Azure AD or the directory name for the on premises
In the meantime, there is no more MSOL account created and used to synchronize your AD; it finally use the account you defined during the configuration (so do not use anymore the administrator account )
To complete, open the Scheduled Tasks console and enable the tasks created during the installation called Azure AD Sync Scheduler
After the server side, Microsoft has published an update for Windows 7 and 8 clients to allows these clients to take advantage of the Azure service called Azure Backup.
Go there to download and install the package and starts backing up your clients on Azure http://support.microsoft.com/kb/3015072
Microsoft has announced that Azure AD Connect, the new tool to synchronize On Premises Active Directory directories will replace in a very near future the current DirSync tool for Office 365.
As you may be aware, since few months we now have different synchronization tools for Office 365 and Azure Active Directory:
Since yesterday, a new version of the Azure AD Connect has been available in a public preview which combines both DirSync and Azure AD Connect features.
Read the announcement here http://blogs.technet.com/b/ad/archive/2014/12/15/azure-ad-connect-one-simple-fast-lightweight-tool-to-connect-active-directory-and-azure-active-directory.aspx
Download the preview here http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949
While working on a project to deploy Office 365 with ADFS 3.0, I was running on an issue with the Lync mobile client on Android ONLY; other Lync client did not had the issue (on WIndows, WIndows Phone or iOS).
The issue was the user was not able to sign in on the Lync 2013 mobile client on Android (while Office mobile or web browser access worked fine); the same user account on WIndows, WIndows Phone or iOS worked fine either.
It appeared that (for some unknown reason), a default entry on ADFS and Web Application servers was not there: 0.0.0.0:443.
So the solution was quite simple and has to be executed on both ADFS and Web Application servers:
it returns all listener available on the servers
As you may already know – if not, this is it - Microsoft has introduced and provided Multi Form Factor (MFA) with Office 365, and Azure Active Directory, for some time now. This MFA solution is provided by PhoneFactor – which has been bought since then by Microsoft.
If you don’t know anything about this just take a look here http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618 for On Premises deployment and http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=556 for the Office 365 version.
That said, and while I’m a big fan of this solution, there has been a big hole with it: this was working ONLY for web browser access, Office client (and PowerShell) do not support this additional authentication scheme. The workaround was to setup what it is called an App Password which automatically generated and in my opinion is not so secure as it contains only small cap characters.
After this introduction, here is the GOOD news…. Support for MFA will be available soon for Office client (nothing said about PowerShell support).
If you want to know more and take part of the preview read the announcement here http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/ and join the preview here http://aka.ms/previewauth
Read carefully the announcement has there are some restrictions.
Hopefully I will be able to provide you my feedbacks with this preview soon.
Today, the OneDrive app for Windows Phone – the personal version – has been updated to the version
Ok, I usually don’t post about such mobile apps updates – as they can be frequent, but this is one is interesting as it introduced an interesting new feature.
Indeed, you can now add your OneDrive for Business space into the OneDrive (personal) mobile application
If this page does not come when you start OneDrive app after the update, just hit the button on top left (just left of Files menu)
Then just enter your Office 365 organization account
Once authenticated, your OneDrive for Business will appear in the list of available storage space as well as through the Settings\Accounts menu; as you can see, you can add more than one Office 365 OneDrive for Business space
If you want to reach your OneDrive for Business space, you just need to switch by hitting the Files menu shown below your Office 365 account
If you are running the preview version of Windows 10, you may be aware that an updated version is available and should be installed through the Update and Recovery section from the PC Settings in the Charm bar.
Ok, but if you have enabled Media Center this operation will failed with the error code 0x800700EA. I found that is the Media Center feature which cause that issue thanks to the Windows community forum (only place I found exact same issue BUT with no solution except reinstalling without enabling Media Center – as reminder this come with an specific product key).
So as I did not want to reinstall it (even by doing an inplace upgrade), I dug a little and found 2 registry keys have to be updated to allow me getting the updated version of Windows 10.
You have to change the value of the following keys:
These keys are located below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion.
After changing the value of these key, restart the client and go to the Update and Recovery section to get the updated version.
I know OneDrive for Business is not completely working (many synchronization issues have been reported, lacked of troubleshooting way…) but when it work, it is really helpful (especially because of the storage space increased up to 1 To recently ). I’m myself not a big fan of O4B.
So that said – and because Microsoft is working hard to improve that, there is a useful Excel file which can help in the OneDrive for Business deployment called OneDrive for Business Client Network Bandwidth Calculator – available for download from http://www.microsoft.com/en-us/download/details.aspx?id=44541 (currently in beta)
This spreadsheet will help you to determine the bandwidth consumption for your company when deploying OneDrive for Business.
You can define the number of site, number of user per site, average file size, client type (mobile, PC…) and it will generates a report with graphic to help you understand your needs to provide good user experience (if possible with the current version )
Microsoft has update his Azure Cost Estimation tool now available at http://www.microsoft.com/en-us/download/details.aspx?id=43376
After his installation, you will be able to scan your on premises environment (running either on a physical server or an hypervisor like Hyper V, SCVVM or ESx) and get an estimation cost for the same environment on Azure
As sample, here is a result for an Hyper V 2012 R2 server running 7 VM’s – including SharePoint 2013, Exchange 2013 or Lync 2013 and SQL server
Off course you can adjust the costing by changing the Compute Instance
As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.
To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.
That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.
Good news , Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.
To do, you just have to
I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog . So, let start with the connector installation and systems configuration.
There is 3 files available for download
There is 3 files available for download
The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.
During the installation, IIS and all required features will be installed if not already installed on the server.
You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use
This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.
The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered
NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.
NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account
Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.
At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu
On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.
When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account
As the RMS connector uses an IIS web site, by default it is using HTTP traffic; as for any sensitive HTTP communications, it is recommended to use HTTPS.
To enable RMS connector for HTTPS use, just open the IIS console and bind the HTTPS port (443) with a certificate; you can either use your internal Certification Authority or a public one.
You can also configure a binding using a generic URL instead of the server name; this is required if you plan to use load balancing for high availability. This is also recommended even if you deploy one RMS connector server.
Do not change this URL after you have configure Exchange, SharePoint or file servers to use RMS connector.
Exchange 2010 SP3 with CU 6 or Exchange 2013 CU 3 (or later) is supported for the RMS connector use.
You need to install an updated version of the RMS client if you are running Windows Server 2008 or Windows Server 2008 R2 to support RMS Cryptographic Mode 2 (Windows Server 2012/2012 R2 already support it)
Run the PowerShell script to configure Exchange server to use the connector (don’t forget, always run the script using the Run as administrator).
This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values
It will ask you for the RMS connector URL (your RMS connector server(s))
Once this has been completed, you have to enable Exchange for RMS – see http://technet.microsoft.com/en-us/library/dd351212(v=exchg.150).aspx
By the way, to enable RMS on Outlook Web Access for On Premise you have to run the following command on Exchange Set-OWAVirtualDirectory –IRMEnabled $true
SharePoint 2010 or SharePoint 2013 are supported for the RMS connector use.
As for Exchange Server, if you are not running Windows Server 2012/2012 R2, you need to update the RMS client
Run the PowerShell scripts to configure SharePoint server to use the connector (don’t forget, always run the script using the Run as administrator)
As for Exchange, once this has been completed, you have to setup SharePoint for RMS use – see http://technet.microsoft.com/en-us/library/hh545608(v=office.14).aspx
If you are using a proxy server, you may have to configure the RMS connector to use this proxy
Unfortunately, there is no interface available to do so; you have to manually update the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector and add a String key called ProxyAddress with the proxy settings as value (like http://proxyserver:8080)
To configure privileged Azure RMS account, you need to use the PowerShell module for Azure RMS – available at http://technet.microsoft.com/en-US/library/jj585012.aspx
Then run the following commands
Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.
He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.
He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.
He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).
He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.
With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.
This blog is using tracking code for analytics purpose.
No personal data are stored and maintained.