Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Apr 01
Office 365 – Office 365 Admin mobile app updated

As announced some time ago the Office 365 Admin mobile application has been updated with a brand new interface and features which provide more administration stuff than the previous version which was more providing health services than anything else (see

Even if almost everyone was happy to get this new version, there was still some missing point such as the ability to assign license to federated users.

Good news, since today this is now possible Smile

Mar 31
Office 365 – Mobile Devices Management is now available

It has been announced some time ago, Microsoft has now delivered a first release of the mobile devices management for Office 365.

You can now define complete access rules for mobile devices to access your Office 365 resources.

This feature is currently being roll out on Office 365 for all Office 365 commercial plans (Business, Enterprise, EDU and government).

If you are interested in cloud mobile devices management, the first thing is to choose between Intune and Office 365 MDM – see for the comparison

Enable and configure Office 365 MDM

Then, if you want to use the Office 365 MDM, you have to activate the service by going to the Mobile Devices menu from the Office 365 admin portal to activating it; please note it may take some time to complete the activation


Then you will have to complete the configuration by:

  • configuring the DNS records required – please note the interface may display your tenant has been already correctly configured for the DNS but this is a false positive state because you already have associated Internet domain. DNS entries required
    • CNAME enterpriseenrollment pointing to
    • CNAME entepriseregistration pointing to

Please note that the last entry may already exists and points to your ADFS end point or your Azure device registration as this entry is used for the Join Workspace feature.

  • create the APN’s certificate to allow you to manage Apple devices (iPhone / iPad)


Setup MDM Access Rules

Once this has been done, you can also additionally configure multi factor authentication requirements and setup the access rules.

Access rules are managed from the Compliance Center – which has been available since few days now.

NOTE this access rules are overriding the Exchange mobile devices access rule you may have already setup


To setup an access rule, just hit the + sign and follow the wizard

As part of the settings available you can:

  • request to setup a device password
  • require device encryption
  • block jail broker device


Then you have the choice to apply or not the rule after the creation – this may take few minutes to apply on devices


NOTE if you want to apply now the new access rule, you have to select existing security group and you have to search for the DL; the interface does not gather automatically existing DL for performance reasons


View devices list

From the Office 365 admin portal you can get compliance reports for registered devices


NOTE there is currently a defect as the user list returned contains sample Contoso data


From the Office 365 admin portal you can also have a quick look of these devices and perform a wipe operation – either FULL wipe which completely reset the device or a SELECTIVE wipe which removes ONLY your corporate data (OneDrive for Business, Mail…)


Setup Mobile Device

To enroll a device to for Office 365 MDM, you must use either:

  • use the workplace feature of Windows Phone 8.1


  • use the Company Portal application for Apple and Android devices
Mar 29
Windows 10 – Do not install the latest Surface firmware if you have Bitlocker enabled and running Windows 10 10041

UPDATE 30/03/2015 - After disabling BitLocker to solve the issue, you can re enable it

Today, I have installed the latest updates available through Windows Update on my Surface Pro 3 running Windows 10 Technical Preview build 10041: KB 3050653 and System Firmware Update.

My Surface has Bitlocker enabled.

Unfortunately, after the usual system restart and after the Surface Firmware has been updated, I ran into the issue than Windows does not start anymore.

After entering the Bitlocker PIN, the system immediately ran into the “Preparing Bitlocker Recovery” mode and failed to load Windows with the error 8007139f.

I have been able to correctly start Windows if I choose to run the Recovery mode when Bitlocker asks for the PIN and then enter the long recovery code. Then I uninstalled the potential KB involved, restart but still had the issue.

So, this means this is the firmware which is in cause and the only solution if it has been installed is to disable Bitlocker if you are running Windows 10 Build 10041.

I don’t know if this happen also for user running Windows 8.1 on their Surface Pro 3 with Bitlocker as I have only 1 Surface Smile

Mar 28
Office 365 / Exchange Online – Changes in the Clutter feature

Since last November and the introduction of the Clutter feature (see for more details), Microsoft has updated the Clutter feature to allow better management of this feature by administrators.

Now, administrators can define retention policies, define rules to bypass Clutter or personalize the message received by end-users.

See to know more

Mar 28
Office 365 / SharePoint Online – Important change with document library

Starting March 24th, SharePoint Online has been updated by enabling by default document versioning on Document library.

This impact all new document library created since then, as well as new site. The document versioning enabled is the Create major version

So be aware of this change has some impact in the storage consumed as well as to the user experience as draft version may not be viewable Smile

More details

Mar 27
Office 365 – Compliance Center

Following my previous post to announce the new Office 365 Compliance Center (, here is a quick post on how to go with it.

Access to the compliance center is allowed to global administrator and based on the RBAC (Role Based Access Control) permission models, the same than the one used by Exchange (either online or on premises); that said Exchange role groups and Compliance Center role groups does not share membership or permission, so this means if you already have setup some compliance role group on Exchange this will NOT be reused by the compliance center

Ok, so let’s discover the Compliance Center.

You can access the compliance center from the administration portal through the Compliance Center from the left menu (the option is located at the end below the Admin section)


Then this open a new tab to connect you to the Compliance Center

What you can do?

For this first version, the compliance center is now the central place to manage compliance policies for both Exchange Online and SharePoint Online.


You can create and manage eDiscovery cases for SharePoint Online, enable/disable Exchange Online Archive for cloud hosted mailboxes (this first version does not allow to manage on premises mailboxes in the context of an hybrid scenario) or define the retention policies for Exchange Online and SharePoint Online

Exchange Online Archive Management

When you hit the Archiving option, you will be able to enabled/disable the online archive feature for Exchange Online mailboxes only. For mailboxes which has already the archive enabled, you get some usage statistics



The eDiscovery section allows you to create and manage eDiscovery cases

The first time you logon and reach this section AND if you don’t have any eDiscovery site created on SharePoint Online, the system will automatically creates a new eDiscovery site for you


Then you will be able to create/manage cases

NOTE if you want to delegate access to this section (see later for the Permissions management for the compliance center), you have to manage the permission to the eDiscovery site from the site itself; delegation from the compliance center does not grant access to the eDiscovery site



This section allows you to manage retentions policies for SharePoint Online and Exchange Online. Until then, it was relatively simple for Exchange Online (as soon as you have been granted the permission) to manage retention policies but not for SharePoint Online

Each links will open a new window

In case this is the first you reach this section and want to manage SharePoint retention policies, the system will automatically create a new Document Deletion Policy Center (which is the Compliance Policy Center template)

NOTE for some reason the automatic provisioning may failed, so just go to the SharePoint Admin portal and provision manually the required site using the Compliance Policy Center AND with the URL CompliancePolicyCenter (if you use another URL, it will continue to fail); then once the site has been provisioned, everything will go fine



Then you will be able to manage from this central point the retention policies

Once again, delegation from the compliance center does not grant access to the compliance policy SharePoint site



The last option allows you to delegate access to the compliance center.

You have default delegation permissions set but you can create your own to delegate specific tasks

As reminder global administrators have been automatically granted access to the compliance center


Once a user has been delegated to access the compliance center he will be able to access the site

The following screenshots shows the delegated views for eDiscovery Manager (as sample)

First, as the user is only delegated for the Compliance Center, there is no link available from anywhere (ie like the Office 365 portal); he has to logon using the URL


What to expect next

So, it’s quite difficult to say what will come and when in the future for the Compliance Center (also because I’m not allowed to do so Smile) but there is one thing I can say: there will be a mobile device management feature coming which will allow you to define access policies to your Office 365 resources.

Mar 25
Office 365 / Azure – Installation of the AAD Connect March Preview build

Following the announcement of the availability of a new AAD Connect preview build (March 2015 build), here is the some details regarding the installation and configuration steps for this build. I may not have covered everything here yet but will do new post if needed.

As quick reminder, if you already had the previous build installed, you have to uninstall it and restart your server as there is NO upgrade path to new build. But there is migration path from DirSync, with a limitation as attributes filtering configured this will NOT be migrated. That said, I would not recommend to perform such upgrade – especially for this build has this is still a beta version.

If you have to uninstall the previous build, please follow these steps:

  • open a command prompt using the run as administrator
  • go to the c:\program files\microsoft azure active directory connect folder
  • run the following command dirsynctool.exe /uninstall
  • follow the wizard to uninstall the tool
  • complete the uninstallation process by opening the Control Panel\Add Remove program and uninstall Azure AD Connect from there





Quite few improvements since the previous beta build; you can now:

  • Define to use a SQL instance
  • Define the service account
  • Set permissions
  • Import previous settings

We will see what are these new configuration settings.


Installation Options

SQL Server Name

If you check this box, you will be asked to define the SQL server\instance to use to host the database used by the synchronization tool. This provide the same installation option than for DirSync with the /fullsql switch (see


Service Account

This option allows you to define the service account to use to run the synchronization tool.

This service account does not need anymore any specific permission at the AD level (as it was the case with DirSync) BUT need the following permission on the local server where the tool is being installed

  • Allow logon locally (if you plan to install it on a domain controller you have to update the GPO for domain controllers)



This setting allows you to define your own group name for the synchronization tool. As reminder, this tool (as well as the “old” DirSync) is based on ForeFront Identity Manager which used his own local group to grant access to some of his configuration set. If you leave this option uncheck (and so with the name fields blank), the tool will use the default names (FIMAdministrator….)


Import Settings

This last option allows you to import connection settings from previous installation. This would be very helpful when you have a bunch of filtering settings defined (like attribute based filtering or OU based); you will not have to reconfigure it each time you have to install a new instance Smile



Once you have define the installation/configuration options, the next steps are the same than for the previous build:

  • choose either the Express or Customized configuration


Usually the express configuration just setup the password synchronization and a single AD forest. If you want to setup a federation and/or multi AD forest synchro you have to choose the customized configuration.

As for previous synchronization tool (DirSync) or previous build, the Office 365 credentials must be Global administrator and if directory synchronization has not been enabled, the tool will do it for you.

Customized Configuration

This build has been improved at this step as you can now choose to setup just password synchronization, the federation or do not configure for the single sign in experience.

The do not configure option allows you to keep your existing federation in place (meaning you don’t have to deploy a new federation server on your existing ADFS environment as it was the case with the previous build if you wanted to use federated authentication)


You can then choose to synchronize all users and devices or just a bunch of it using a group; this could be helpful for a pilot implementation


As almost all the configuration steps are the same than for the previous build, I’m going directly to the last step which has a lot of new features; you can now enable the following features:

  • Exchange Hybrid (ok, this one is not new)
  • Azure AD app and attribute filtering (this one is the well know attribute filtering from DirSync AND the application management from Azure Application portal)
  • Password writeback (also this is not new)
  • User writeback – this option allows user accounts created on Azure AD (or Office 365 admin portal) to be created back onto your Active Directory
  • Group writeback – this option is similar to the previous one but for groups
  • Device writeback – this option automatically configure the synchronization of the Registered Device container; with DirSync you had to manually had this (see My point of view at this stage is the configuration is looks really more complicated with this, I hope this will be a little more simple in GA
  • Device sync
  • Directory extension attribute sync – allows you to sync specific attributes between on premises AD and Azure AD to allow to use them in cloud-based applications

NOTE1 if you plan to implement Device Writeback, ensure you have done the following:

  • either you already have configured your current DirSync instance for device synchronization (as explained here
  • or prepare the directory by using the PowerShell module provided (Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1" and then follow the documentation provided with the preview build – honestly at this stage this looks like very complicated while it has been very simple with DirSync)

NOTE2 the writeback feature for users and groups requires administrators have to define the OU where the Azure users/groups are writeback to AD. I recommend you use a dedicated OU for cloud users and groups synched back from Office 365

NOTE3 cloud users provisioned back on AD thanks to the writeback feature are still shown as Cloud after the synchronization while resetting the password on the AD “cloud” account does not reset the password for the account on Office 365 even if you have to have enabled the password synch off course


For each of the optional features enabled, an additional configuration steps may be required, like for Azure AD Apps or Azure AD attributes


Mar 24
Office 365 / Exchange – Now with latest Exchange CU, ActiveSync devices will be automatically reconfigured

With the release of the CU 8 for Exchange 2013 and the RU 9 for Exchange 2010, ActiveSync devices will be automatically reconfigured when the mailbox has moved from on premises to Office 365.

Previously, the device had to be reconfigured (either by deleting the EAS connection or by manually setting the URL to

To know more about this, go to

Mar 24
Office 365 / Azure – A new build of the Azure Active Directory Connect tool has been delivered

As you may already know since some time, Azure Active Directory Connect (AAD Connect) will be the only tool to synchronize On Premises Active Directory with Azure Active Directory (so replacing DirSync for Office 365) as well as providing more features.

So, a new preview build has been delivered for testing today. There is no upgrade path from the previous build.

Go to to get the new build

Mar 24
Office 365 – Multi Factor Authentication (MFA) support for Office client is now in Public Preview

After being announced some months ago and an internal/private beta program, support for Multi Factor Authentication for Office client is now available in public preview.

MFA support for Office client means if you are using the MFA feature available through Office 365 to secure access to your Office 365 tenant (or the Azure MFA to secure access to both online and on premises application) – see and to know more, you will no longer need to setup the app password to connect when using your Office client Smile

To know more about this public preview go to

I recommend you read the following pages as there are some limitations to get MFA for Office client working.


Some additional documentation:


1 - 10Next

 ‭(Hidden)‬ Blog Tools



Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data


Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010