Category: Office365


This article walks you through assigning product licenses to a group of users in Azure Active Directory (Azure AD) and then verifying that they’re licensed correctly:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

 

 

 

Advertisements

https://www.codetwo.com/admins-blog/how-to-change-language-in-office-365-portal-in-hybrid-environment

https://answers.microsoft.com/en-us/office/forum/office_365hp-office_account/office-365-how-do-i-change-my-default-language-not/00c77858-5eed-4058-8f95-81fc40e802d9?auth=1

Reference article: https://blogs.technet.microsoft.com/office_resource_kit/2014/01/21/managing-updates-for-office-365-proplus-part-1/

Extracts:

Q1. Well…how do automatic updates work? Can I control them?

A1.  A default install of Office 365 ProPlus is configured to update automatically from the cloud.  Separately, each month a new build of Office 365 ProPlus is released in the cloud.  When a computer with Office 365 ProPlus detects that a new build is available, the difference – or delta – between the new build and the existing one is streamed down in the background.  Updates are then installed when Office apps/processes aren’t running. So, with the default configuration Office 365 ProPlus, you will always be up-to-date. IT Pros can customize the configuration by controlling if updates are searched and applied automatically and/or from which source this will happen.  (More on this in Managing Updates for Office 365 ProPlus – Part 2.)

 …

Q4. I use WSUS and/or System Center Configuration Manager to manage Office updates today.  Can I continue to use these products to update Office 365 ProPlus?

A4.  Automatic updates is a servicing model built into Office 365 ProPlus, and provides the ability to be always up to date, or “evergreen”, with security and functionality enhancements.  Office 365 ProPlus updates are not provided via Windows Update.  Some environments may prefer to use their existing software distribution tool to manage updates for Office 365 ProPlus, and this can be facilitated using the Office Deployment Tool.  Check out the References section below for more information.

….

How to use ODT for O365?

https://support.office.com/en-us/article/Overview-of-the-Office-2016-Deployment-Tool-bb5b62d9-1168-47e9-9d54-15a958acfcca?ui=en-US&rs=en-US&ad=US

Really nice presentation of the Office 365 launch project kick off from Continental that happened recently.

http://www.harald-schirmer.de/2017/10/17/continental-goes-new-work-style/

Continental is a globally acting company with 150K users, 500 locations in 50 countries.

https://www.youtube.com/watch?v=fVxhbuoamYI&feature=youtu.be

 

Here are the projects/work streams they have put in place:

  • Project Business & Future Work Style – in charge of Business Requirements and driving the New Work Style
  • Project IT – launching O365 and decommissioning existing systems
  • Work stream Technical Integration – integrating into the existing landscape
  • Work stream Communication & Learning – find ways to train the 150K users
  • Work Stream Support Functions – dealing/coordinating Legal, Data Protection, Purchasing topics
  • Work Stream Future Work & Change – Design the journey for People to get into Office 365
  • Work Stream Service Management & IT Operations – including Testing
  • Work Stream Requirements & Solutions – bridge between IT and Business Topics

It’s a mixture of people from IT, HR, Legal, ….

This post will try to explain some relevant parameters from the ADFS side. I’m not saying the defaults aren’t good, that’s something you’ve got to decide for yourself.

Introduction

WS-Fed/SAML protocol requirements: All time is UTC. ADFS will ignore system time and will use UTC.

Dates in SAML

A Security Assertion Markup Language(SAML) assertion might contain many attributes that contain dates. For example the following Conditions element of a SAML assertion has two date attributes:
<saml:Conditions NotOnOrAfter=”2013-07-29T23:49:40.051Z” NotBefore=”2013-07-29T23:39:40.051Z”>

Time in SAML elements is expressed in xs:dateTime format (xs is a XML format style). The Z at the end indicates that the Time Zone is Coordinated Universal Time (UTC) or Zulu time format. SAMLCore explicitly references “W3C XML Schema Datatypes specification [Schema2]” which in turn references ISO 8601.

Dates in OpenTokens

An OpenToken contains multiple dates. For example the following OpenToken contains three dates:

 not-before=2012-11-15T07:41:54Z
authnContext=urn:oasis:names:tc:SAML:2.0:ac:classes:Password
subject=joe
not-on-or-after=2012-11-15T07:46:54Z
renew-until=2012-11-15T19:41:54Z

The format for OpenTokens also uses ISO 8601 which also uses UTC.
See also: Microsoft KB 884804 – How to convert UTC time to local time

WebSSOLifetime (Default 480 = 8 hours)

This parameter is server-wide. Meaning if you configure it, it’s active for all of the ADFS relying parties. Whenever a user asks a token for a given RP he will have to authenticate to the ADFS service first. Upon communicating with the ADFS service he will receive two tokens: a token which proves who he is (let’s call that the ADFS Token) and a token for the RP (let’s say the RP Token). All in all this seems very much like the TGT and TGS tickets of Kerberos.

Now the WebSSOLifetime timeout determines how long the ADFS token can be used to request new RP Tokens without having to re-authenticate. In other words a user can ask new tokens for this RP, or for other RP’s, and he will not have to prove who he is until the WebSSOLifetime expires the ADFS token.

TokenLifetime (Default 0 (which is 10 hours))

The TokeLifetime is now easy to explain. This parameter is configurable for each RP. Whenever a user receives a RP Token, it will expire at some time. At that time the user will have to go to the ADFS server again an request a new RP token. Depending on whether or not the ADFS Token is still valid or not, he will not have to re-authenticate.

One argument to lower the TokenLifetime could be that you want the claims to be updated faster. With the default whenever some of the Attribute Store info is modified, it might potentially take 10 hours before this change reaches the user in its claims.

NotBefore and NotOnOrAfter, NotBeforeSkew

Setting up federated trusts with third-party vendors to provide users with single sign on (SSO) is very common.  SAML2 is the preferred method for SSO authentication.  One issue with this method is ensuring the SAML tokens have a valid lifespan.  Basically, when does a token become valid and when is it no longer valid.  Built into the SAML specification, there is a <saml:Conditions> element, which contains two attributes; NotBefore and NotOnOrAfter.  The NotBefore attribute contains the date and time value that specifies when the assertion becomes valid.  The NotOnOrAfter attribute contains the date and time value that specifies when the SAML assertion is no longer valid.  Both must be UTC datetimes, without the time zone.  As long as the SAML token is being used between the NotBefore and NotOnOrAfter times the assertion will be valid.

But what happens when the IdP server time and the third-party server times are off by a few seconds, or even a couple of minutes?  Simple, authentication may fail because the third-party server may see the SAML as not yet valid.

Luckily, ADFS 3 (Windows Server 2012 R2) offers a simple solution.  A simple time skew value can be added to the relying party on the ADFS server.  This property is called NotBeforeSkew.  It contains the number of minutes to adjust the NotBefore value by.  Setting the NotBeforeSkew to a value of 5 will result in a NotBefore of -5 minutes.

The following PowerShell command can be used to set the NotBeforeSkew value.

Set-ADFSRelyingPartyTrust -TargetIdentifier "<replying party identifier>" -NotBeforeSkew 5

Example:

https://answers.splunk.com/answers/350999/using-saml-for-authentication-why-do-we-get-time-s.html

What’s new in ADFS 2016?

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server-2016?f=255&MSPPError=-2147217396

  • Eliminate Passwords from the Extranet
  • Sign in with Azure Multi-factor Authentication
  • Password-less Access from Compliant Devices
  • Sign in with Microsoft Passport
  • Secure Access to Applications
  • Better Sign in experience
  • Manageability and Operational Enhancements

You can upgrade an AD FS 2012 R2 farm using the “mixed farm” process described here. It works for WID or SQL farms, though the document shows only the WID scenario. Also another upgrade procedure:

  1. Active Directory schema update using ‘ADPrep’ with the Windows Server 2016 additions
  2. Build Windows Server 2016 servers with ADFS and install into the existing farm and add the servers to the Azure load balancer
  3. Promote one of the ADFS 2016 servers as “primary” of the farm, and point all other secondary servers to the new “primary”
  4. Build Windows Server 2016 servers with WAP and add the servers to the Azure load balancer
  5. Remove the WAP 2012 servers from the Azure load balancer
  6. Remove the ADFSv3 servers from the Azure load balancer
  7. Raise the Farm Behavior Level feature (FBL) to ‘2016’
  8. Remove the WAP servers from the cluster
  9. Upgrade the WebApplicationProxyConfiguration version to ‘2016’
  10. Configure ADFS 2016 to support Azure MFA and complete remaining configuration

https://blog.kloud.com.au/2017/01/20/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-1/

https://blog.kloud.com.au/2017/01/23/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-part-2/

https://blog.kloud.com.au/2017/01/25/wap-2012-r2-migration-to-wap-2016/

Other links:

http://www.mrchiyo.com/migrating-mixed-mode-ad-fs-full-windows-server-2016-ad-fs-farm/

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server

http://blog.ryanbetts.co.uk/2017/02/upgrade-adfs-30-to-40-with-windows.html

https://araihan.wordpress.com/2017/03/20/upgrading-ad-fs-to-windows-server-2016-fbl/

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016

ADFS 2016 operations

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-2016-operations

ADFS 2016 deployment

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-deployment

ADFS 2016 design

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide

Office 365 and Project/Visio ?

Concernant le déploiement des binaires : https://support.office.com/fr-fr/article/Guide-de-d%c3%a9ploiement-pour-Office-365-ProPlus-f99f8cd0-e648-4834-8f45-f5637351899d?ui=fr-FR&rs=fr-FR&ad=FR

Concernant la juxtaposition Project/Visio avec Office 365 : https://support.office.com/fr-fr/article/Guide-de-d%c3%a9ploiement-pour-Office-365-ProPlus-f99f8cd0-e648-4834-8f45-f5637351899d?ui=fr-FR&rs=fr-FR&ad=FR

Reference article:

https://blogs.technet.microsoft.com/applicationproxyblog/2014/08/20/web-application-proxy-powershell-cheat-sheet/

http://ms.darrenongpt.com/2015/07/remove-web-application-proxy-wap-from.html

 

Symptom:

On the current WAP server wapserver1, the WAP remote access management console display a server called server2. How to remove this server from the cluster list?

Solution:

Connect on the wapserver1, open a powershell prompt: Swpc –ConnectedServersName ((gwpc).ConnectedServersName –ne ‘server2.domain.local’)

gwpc to display the list of WAP servers.

Description

Today AD FS is made highly available by setting up an AD FS farm. Some organizations would like a way to have a single server AD FS deployment, eliminating the need for multiple AD FS servers and network load balancing infrastructure, while still having some assurance that service can be restored quickly if there is a problem. The new AD FS Rapid Restore tool provides a way to restore AD FS data without requiring a full backup and restore of the operating system or system state. You can use the new tool to export AD FS configuration either to Azure or to an on-premises location. Then you can apply the exported data to a fresh AD FS installation, re-creating or duplicating the AD FS environment.

Scenarios

The AD FS Rapid Restore tool can be used in the following scenarios:
1.Quickly restore AD FS functionality after a problem•Use the tool to create a cold standby installation of AD FS that can be quickly deployed in place of the online AD FS server

2.Deploy identical test and production environments•Use the tool to quickly create an accurate copy of the production AD FS in a test environment, or to quickly deploy a validated test configuration to production

What is backed up

The tool backs up the following AD FS configuration
•AD FS configuration database (SQL or WID)
•Configuration file (located in AD FS folder)
•Automatically generated token signing and decrypting certificates and private keys (from the Active Directory DKM container)
•SSL certificate and any externally enrolled certificates (token signing, token decryption and service communication) and corresponding private keys (note: private keys must be exportable and the user running the script must have permissions to access them)
•A list of the custom authentication providers, attribute stores, and local claims provider trusts that are installed.

Download and usage

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-rapid-restore-tool