Category: Office365

Key properties of the Azure AD B2B collaboration user



This property indicates the relationship of the user to the host tenancy. This property can have two values:

  • Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
  • Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.


    The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user’s relationship to the host organization and allows the organization to enforce policies that depend on this property.


This property indicates how the user signs in.

  • Invited User: This user has been invited but has not yet redeemed an invitation.
  • External Active Directory: This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization.
  • Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft account.
  • Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
  • Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization.


    Source and UserType are independent properties. A value of Source does not imply a particular value for UserType.

If your organization has multiple Azure AD (AAD) directories, perhaps due to security requirements, or mergers or acquisitions; it may be a good idea adding guest users from other AAD directories as members.

The main difference between a Guest and a Member is in the lookup rights to the domain. A guest can typically not look up users and groups like a Member user can. A member would need this for self service reasons, and to look up contact information for other users, while you’d typically not want a guest to do that.

In order to convert the user, you currently have to use Powershell. Ypou need to have the AzureAD module installed on your computer.

  1. Log into your Azure AD tenant:
  2. Convert the user

    You may want to search up the user using just the Get-AzureADUser first.


Office 365 Auditing

It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log entry to be displayed in the search results. The following table shows the time it takes for the different services in Office 365.

Office 365 service 30 minutes 24 hours
Azure Active Directory (admin events) yes
Azure Active Directory (user login events) yes
Exchange Online yes
Microsoft Teams yes
Power BI yes
Security & Compliance Center yes
SharePoint Online and OneDrive for Business yes
Sway yes
Yammer yes


  • Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Office 365 admin center or in the in Azure management portal. For a complete list of Azure AD events, see Azure Active Directory Audit Report Events.
  • Exchange Online audit logs consist of two types of events: Exchange admin events (actions taken by administrators) and mailbox events (actions taken by users on mailboxes). Note that mailbox auditing isn’t enabled by default. It must be enable for each user mailbox before mailbox events can be searched for in the Office 365 audit log. For more information about mailbox auditing and the mailbox auditing actions that are logged, see Enable mailbox auditing in Office 365.
  • Audit logging for Power BI isn’t enabled by default. To search for Power BI activities in the Office 365 audit log, you have to enable auditing in the Power BI admin portal. For instructions, see Auditing Power BI.

Note: We’re in the process of turning on auditing by default. Until then, you can turn it on manually.

If you face more than expected delays as described on the temple kindly let me know.

Turn off an activity alert for Auditing

You can turn off an activity alert so that an email notification isn’t sent. After you turn off the activity alert, it’s still displayed in the list of activity alerts for your organization, and you can still view its properties.

  • Go to
  • Sign in to Office 365 using your work or school account.
  • In the left pane, click Alerts, and then click Manage activity alerts.
  • In the list of alerts for your organization, click the alert that you want to turn off.
  • On the Edit alert page, click the On toggle switch to change the status to Off, and then click Save.

The status of the alert on the Activity alerts pages is set to Off.

To turn an activity alert back on, just repeat these steps and click the Off-toggle switch to change the status to On.

Create activity alerts in the Office 365 Security & Compliance Center



To get status:

Get-Mailbox “office365user”| FL Audit*

AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Copy, Move, MoveToDeletedItems…}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete…}
AuditOwner : {}


To setup mailbox audit logging for all user mailboxes in your organization:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

Here is a PowerShell script to export OU filtering on AADConnect:

$ExcludeFilterFile = “d:\scripts\logs\AADC_ExcludedOU.txt”
$IncludeFilterFile = “d:\scripts\logs\AADC_IncludedOU.txt”
$AADConnector= “”
$AADConn= Get-ADSyncConnector -Name $AADConnector
$AADConPartition = Get-ADSyncConnectorPartition -Connector $AADConn[0] -Identifier $AADConn.Partitions.Identifier.Guid
$AADConPartition.ConnectorPartitionScope.ContainerInclusionList | Out-File -FilePath $IncludeFilterFile
$AADConPartition.ConnectorPartitionScope.ContainerExclusionList | Out-File -FilePath $ExcludeFilterFile
To export other AADConnect settings:

(Get-ADSyncGlobalSettings).Parameters | Export-Csv [path to csv file here]
This will create a spreadsheet with all the parameters names and their values. With this, you have pretty neat documentation of the AD Connect configuration.

Now let’s get the names of the connectors, run:
You will get connectors’ names, their identifiers, installation date, and last modification date.
If you knew the names of the connectors (say, your AD connectors’ name is and your extensible connector called ‘ – AAD’), you could also pass the name to the powershell cmdlet like this:
Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name ‘mydomain.local’
Get-ADSyncConnectorPartition -Connector (Get-ADSyncConnector -Name ‘ – AAD’)

What commands are available for Partitions?

Get-Command -Module ADSync -Name *partition*


# Get the Partitions through the ‘Partitions’ property on the connector object

Get-ADSyncConnector-Name ‘ – AAD’ | Select-ExpandPropertyPartitions


Identifier             : f083884f-dbf1-4eef-a5b3-02adabc96dbd

DN                     : default

Version                 : 1

CreationTime           : 2/24/2015 12:16:38 AM

LastModificationTime   : 2/24/2015 12:16:38 AM

Selected               : True

ConnectorPartitionScope : Microsoft.IdentityManagement.PowerShell.ObjectModel.ConnectorPartitionScope

Name                   : default

Parameters             : {}

IsDomain               : True

ECMAWaterMark           : ….


# Get just one Partition

Get-ADSyncConnector-Name | Select-ExpandPropertyPartitions | Where Name -eq




AzureAD-Office 354 Tokens Lifetime

You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.


Configurable token lifetime properties

Property Policy property string Affects Default Minimum Maximum
Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML2 tokens 1 hour 10 minutes 1 day
Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days
Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Single-Factor Session Token Max Age MaxAgeSessionSingleFactor2 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
Multi-Factor Session Token Max Age MaxAgeSessionMultiFactor3 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
  • 1365 days is the maximum explicit length that can be set for these attributes.
  • 2If MaxAgeSessionSingleFactor is not set, this value takes the MaxAgeSingleFactor value. If neither parameter is set, the property takes the default value (until-revoked).
  • 3If MaxAgeSessionMultiFactor is not set, this value takes the MaxAgeMultiFactor value. If neither parameter is set, the property takes the default value (until-revoked).


Example token lifetime policies

Many scenarios are possible in Azure AD when you can create and manage token lifetimes for apps, service principals, and your overall organization. In this section, we walk through a few common policy scenarios that can help you impose new rules for:

  • Token Lifetime
  • Token Max Inactive Time
  • Token Max Age

In the examples, you can learn how to:

  • Manage an organization’s default policy
  • Create a policy for web sign-in
  • Create a policy for a native app that calls a web API
  • Manage an advanced policy


In the following examples, you create, update, link, and delete policies for apps, service principals, and your overall organization. If you are new to Azure AD, we recommend that you learn about how to get an Azure AD tenant before you proceed with these examples.

To get started, do the following steps:

  1. Download the latest Azure AD PowerShell Module Public Preview release.
  2. Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.
    Connect-AzureAD -Confirm
  3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the ** ** of your policies.

How to:

before to configure ADFS smart lockout, remove your account from GAD protected users group, else you can get access denied


Primary Domain Controller Requirement

AD FS 2016 offers a parameter that allows fallback to another domain controller when the PDC is unavailable.

  • ExtranetLockoutRequirePDC <Boolean> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.The following example shows the cmdlet to enable lockout with the PDC requirement disabled:
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

PS C:\WINDOWS\system32> get-adfsproperties | select *extra*

ExtranetLockoutThreshold  : 8
ExtranetLockoutMode       : ADPasswordCounter
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
PS C:\WINDOWS\system32> Update-AdfsArtifactDatabasePermission -Credential $cred
PS C:\WINDOWS\system32> Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by
running Update-AdfsArtifactDatabasePermission.  See for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\WINDOWS\system32> restart-service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…


Observing Audit Events

AD FS will write extranet lockout events to the security audit log:

  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
  • When AD FS receives a login attempt for a user who is already in lockout state

While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.


Enable enforce mode

Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode using the PSH cmdlet below:

PS C:\>Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

For the new mode to take effect, restart the AD FS service on all nodes in the farm

PS C:\>Restart-service adfssrv

OneDrive and GPO settings

For a federated domain (AD FS) only:
ex: New-MsolDomain -Name -Authentication Federated

=>else use AADConnect wizard

KB article:

For a managed (standard, in cloud, non-federated, password sync, cloud only, whatever you’d like to call it) domain
ex: New-MsolDomain -Name -Authentication Managed

Reference articles:

Deprecated article:

Many customers have shared that they need to meet compliance obligations that specify key management arrangements with their cloud service provider:

How to:

Customer Key Resources            

Office 365 Encryption Resources

Third-party blogs: