Azure – Windows Server 2019 Preview is available as VM image

Windows Server 2019 Preview (the next major release of Windows Server) is now available for Azure Virtual Machine.

Just search for Windows Server 2019 when you create a new virtual machine


Search the marketplace ( for Windows Server 2019


Or access the marketplace directly from this URL

Enjoy Smile

Azure – Manage Azure AD Password Protection

So, you have deployed and registered your Azure AD Password Protection agents on your on-premises environment (see

Now you can manage this feature by controlling how it is going to work – aka manage your own banned passwords list, enforce the feature or enable the Smart Lookout (to restrict the risk of getting your AD account locked because somebody is trying to guess your password).

To manage Azure AD Password Protection, connect to your Azure portal (or Azure AD portal) with your global administrator account and reach the Authentication methods configuration blade shown below the Security option of your Azure AD


From this blade you have only one configuration option for Password Protection

The Password Protection blade will then let you configure:

  • the Smart Lockout threshold
  • the duration for the lockout
  • Enable/disable and manage your own banned passwords list
  • Enable/disable the use of the Azure AD Password Protection
  • and finally enforce the use of Azure AD Password Protection – the default (after the activation of the agents) is set to Audit. The Enforce mode will block the possibility for your end-users to use any banned/blocked password


NOTE the banned password can not be longer than 16 characters

Azure – Use Azure AD Password Protection with your on-premises Active Directory

You may already know that Azure AD is using advanced technologies to protect your credentials, especially your password. It even detects if the password you are trying to use (when you have to change it due to expiration) has been used too much or has been compromised (or banned).

This is a huge security feature but until now this was only available if you use Azure AD for authentication. Starting today (in preview), you can now use these capabilities with your on-premises Active Directory with a component called Azure AD password protection for Windows Server Active Directory.


First things first, here are the requirements to get it working with your on-premises environment:

  • Deploy a local agent (; this agent must be deployed on server running Windows 2012 at least
  • Azure AD Premium licenses
  • Off course network communication between the server(s) running the agent and at least one AD DS domain controller
  • Administrative permissions to deploy and configure the agent
    • Azure AD Global administrator for the agent registration
    • AD DS domain administrator on the root forest

How it works

The below diagram is a courtesy of Microsoft, describing how this feature works.



  • Download the Azure AD password protection agent here
    • You will see there are 2 MSI packaged:
      • AzureADPasswordProtectionDCAgent.msi: to be deployed on domain controllers
      • AzureADPasswordProtectionProxy.msi: is managing the communication between your AD DS domain controllers and Azure AD to deliver the service.It is recommended to deployed it on at least 2 servers as usual for fault tolerance

Deploy the proxy agent

  • Deploy the agent proxy (AzureADPasswordProtectionProxy.msi) on at least 2 servers and register it

NOTE you can deploy it silently as there is no installation options required(msiexec.exe /i AzureADPasswordProtectionProxy.msi /quiet /qn or with SCCM) and then once ready execute the registration steps


Register and configure the proxy agent

  • Open a PowerShell prompt using the run as administrator and execute the following command

NOTE if you had a PowerShell prompt already opened, you will need to open a new one

Import-Module AzureADPasswordProtection


  • Execute the registration of the proxy agent to Azure AD (using your Azure AD GA account) and register your domain/forest (in case of multi domains forest you need to use your domain admin account from the root domain)

If your Azure AD global administrator account is the same (and sync with Azure AD) than the AD DS domain admin account, you can ignore the -ForestCredential parameter

NOTE it may take sometime to complete the registration process for the first agent

$tenantAdminCreds = Get-Credential

$domainAdminCreds = Get-Credential

Register-AzureADPasswordProtectionProxy -AzureCredential $tenantAdminCreds –ForestCredential $domainAdminCreds


You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

  • 3000 which logs the registration start
  • 3001 which logs the successful registration


  • Then you can register your AD DS forest using the command

NOTE you just need to run this AD DS forest registration step only once. If you deploy multiple proxy agent, there is no need to run again this command

Register-AzureADPasswordProtectionForest -AzureCredential $tenantAdminCreds


You can check the registration has been successfully completed (unless you got an error message) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\Operational) log and look for the events:

  • 3003 which logs the registration start
  • 3004 which logs the successful registration


A new service container is being created in your AD DS forest. This container is used to register all agent (DC or proxy) and the certificates used to authenticate against Azure AD

CN=Azure AD Password Protection,CN=Services,CN=Configuration,DC=<removed>,DC=local


Deploy the DC agent

NOTE it is important to note that a server restart is required after installing the DC agent

  • Execute the AzureADPasswordProtectionDCAgent.msi and restart the domain controller


You can check the registration has been successfully completed (after the server restart) by accessing the Windows Event log for the AzureADPasswordProtection (available below the following path Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Operational) log and look for the events:

  • 1000 which logs the DLL load
  • 2001 which logs the successful start of the Azure AD Password Protection service


This is it, once you have deployed at least one proxy and one DC agent, you are now able to use Azure AD Password Protection.

SharePoint Online–Update in external sharing

To keep SharePoint external files (or folders) sharing secure while improving the end-user experience, an update is being deployed (roll out completion scheduled for end of June) to change the ‘one-time password’ functionality for external users which are also hosted on another Office 365 tenant.

With this update, they will no longer need a one-time password but will logon using their current Office 365 credentials when accessing shared files/folders.

This will end with the creation of a guest account on your tenant.

WordPress – Few details about my migration from SharePoint blog to WordPress

As announced few days ago, I have decided to move on from SharePoint 2016 for hosting my blog.

Now, my blog is running on WordPress using SQL Server as database server, and not MySQL (even if this is still installed anyway).

As promised when I have announced the migration, here are few details about my migration which went quite smoothly, despite few issues:

  • I’m using the ProjectNami to run WordPress with SQL ( – which can be deployed on Azure or on your on-premises server
  • WordPress and his required components (PHP 7, MySql, ) using the Microsoft Web Platform Installer (available here
    • First I installed only PHP 7.2 (both x86 and x64 bits version)
    • Then I installed the Microsoft Drivers for PHP 7.2 for SQL Server in IIS (both x86 and x64 bits version)
    • Finally,I installed WordPress, which installed the additional requirements (IIS Role, URL ReWrite, MySql…)

Installing in this order helps to ensure all the requirements to get WordPress working with SQL are installed and configured properly (the Web Platform Installer is taking care of everything for you)

So then I had to identify and choose which plugins to use in order to protect my server and provide good user experience. I choose:

  • Akismet Anti-Spam to protect the comment section of the blogimage





  • All In One WP Security, to implement dedicated WordPress security measures – even if few of them apply only on Apacheimage




  • Easy HTTPS (SSL) Redirection, to manage the automatic redirection from HTTP to HTTPS (it is not yet configured)
  • Jetpack by WordPress (automatically recommended), to get usage statistics and improved authoring experienceimage
  • Media Library Foldes for WordPress, to organize the WP media gallery with foldersimage





  • Redirect List, to manage URL’s redirection – as the URL’s from SharePoint will no longer works
  • Redirection, mainly used to get 404 logs to update the redirection list.image

It is supposed to also handle the redirections but this part of the plugin does not work (as it uses his own table, and so is incompatible with the SQL query expected by SQL server). Quite useful anyway because of the 404 logs


  • SEOPress, to handle the search engines optimization; including Google Analytics integration
  • Website tools by AddThis, to keep the integration with the AddThis analytic service (previously used on the SharePoint blog for sharing)

Off course there has been another choice: which theme to use. I finally decided to keep one of the default themes provided by ProjectNami.

And last but not least, was to migrate the content of the SharePoint blog to WordPress.

In fact I had no really choice for the migration as the out of the box migration components (or even plugins) were not satisfying; either because of the SharePoint constraints (like the RSS feed) or because I have loosing all the formatting (CSV export/import).

I finally found a tool developed by René Hézser ( which did also a SharePoint blog to WordPress migration. Unfortunately I faced a blocking issue when migrating the posts; the categories were migrated successfully.

When running René’s tool, I got an access denied when creating the posts on WordPress. Obviously this was not a WordPress permission issue as I got the categories created. Thankfully René also provides the source code of his tool, so I used Visual Studio and ran the code in debug mode to identify the issue was with the blog’s attachments. Indeed, all the screenshots on my posts were attached to the post and not save to a Picture library because I’m using Live Writer.

So I isolated the code use to migrate the pictures (from the SharePoint library) to not use it (this implies few code change on multiple place) and successfully ran the full migration of my SharePoint blog to WordPress, keeping the formatting, published date (mostly, I will come back on this one later)… To fully complete the migration I opened the SharePoint blog using Windows Explorer (best is to use Map a network drive) to browse to the Posts library and copy the Attachments folder. I saved this folder in the file system on the WordPress server (ensure you are keeping the complete relative path /Lists/Posts/Attachments).

I then use Excel to generate the URL redirection list for the posts and category to map with the WordPress format (like /Lists/Categories/Category.aspx?CategoryId= or /Lists/Categories/Category.aspx?Name= to /category/).

After going live I monitored thanks to the Redirection plugin the 404 errors to handle redirection updates. This is when I discovered I got few (thankfully) posts with a published date set to 1 day after the real one (as of today I have something like 50 impacted posts, over more than 1000’s).

This is it; this was my, quite overall, easy migration from SharePoint blog to WordPress.

Exchange Online – Exchange Hybrid Organization Transfer

You know already that you can integrate your Exchange On-Premises with Exchange Online in an Exchange Hybrid configuration, allowing a consistent user experience wherever the mailbox is hosted.

But there was still few things missing. Few of them are (or were) the retention policies / retention tags, OWA / Mobile /ActiveSync policies which needed to be re-created on Exchange Online and maintain in both place.

An updated Exchange Hybrid Configuration Wizard had been deployed and is now allowing you can also transfer (one time transfer anyway) your retention policies from On-Premises (from Exchange 2010 to Exchange 2016) to Online.

As first step, only missing policies on ExO will be transfer. You will still have to maintain in both place if you make any updates on these policies (which usually is not the so frequent).

The option to transfer the missing retention policies is available when running the Exchange Hybrid Configuration Wizard ( by enabling the Organization Configuration Transfer show at the bottom of the wizard. You can take advantage of this capability with both hybrid configuration options (minimal or full).


And the result is shown below; first screenshots are the existing retention policies on my Exchange On-Premises and Exchange Online, and then after running the update HCW, the missing retention policies in ExO have been created.


Office 365 – Remove previous MSI install

As you may know, before installing Office 365 Pro Plus it is recommended to uninstall previous MSI Office install.

While it was already possible to perform this uninstall either manually when running the Office 365 Pro Plus setup or using an XML configuration file, it was not so easy.

An updated version of the Office Deployment Tool is now available which includes a new RemoveMSI capability, helping you to properly uninstall previous MSI install (like remove all other Office products or keep some)

You can get more detail here

NOTE to use this new capability you must deploy at least Office 365 Pro Plus version 1803 on Windows 7 or later

Azure – New alerts experience coming up

An updated experience for alerts on Azure is coming (currently in preview).

If you want to enable the new experience, access your Azure portal and reach the Monitor\Alerts blade, then click on the purple banner to enable it


The new experience is providing better insight on alerts and what is happening on your Azure tenant/resources by grouping by severity (the well known severity level 0 (critical) to 4)


You can roll back to the previous experience (at least until the experience is GA) by clicking again on the blue banner.

If there is any alert, you can click on it to get more details and history


Also similar alerts will be automatically group, using machine learning, to reduce the noise

Blog migrated from SharePoint to WordPress

As you may have notice, I have migrated my blog from SharePoint 2016 to WordPress.

I will post later some information as I have been facing an issue to get the all the previous posts migrated.

It is now live. I still have few work to do but the main things are done. By the way, all previous URL’s should continue to work as I’m implementing a redirection for all ‘SharePoint post’.


Exchange Online – Update in Office 365 Message Encryption for attachments

An update is going to be rolled out (and disabled by default) for Office 365 Message Encryption.

With this update administrators will be able to allow/deny the opening of an attachment outside of an Office 365 service (like Gmail or Outlook) were not able to open attachments send using Office 365 Message Encryption.

As of today (and until your administrators enable it), attachments can not be opened when sent through Message Encryption.

IMPORTANT if downloading/opening attachments sent through Message Encryption is being allowed by your administrator, the attachment will not be protected. The principle of this update is the decryption/protection is being removed on the back end to allow recipient opening the attachments. Additional protection (like Azure Information Protection) is required if you want to keep encrypted/protected your attachment.

To enable (or disable) this feature (“Decrypt Attachment”) you need to run the following Exchange Online PowerShell (get if from command

Set-IRMConfiguration –DecryptAttachmentFromPortal $true (or $false)