Category: Office365

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure  / Office 365:

Office 365 for business get started:


Productivity library (scenarios):

Technical decks:

Technical references:




Azure AD Blog:

Azure Powershell:

Azure RMS blog:

‘In the Cloud’:

Office blog:    and

Intune blog:

Azure training kit:

FAQ and enhancement suggestions:

portal and management:

main:     calculatrice:      white papers:     FR blog:


To go deeper:     Forum:     channel9:     Dashboard/SLAB:


Prerequisites before using Azure:

Prepare your environment:

Need certificates:

How to use CSUpload?

How do you get CSUPLOAD?

CSUPLOAD is part of the Windows Azure SDK. After installing all components, it finds you csupload under the following path:
“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload.exe”
How does CSUPLOAD work?

CSUPLOAD is a command console program that the VHDs in the uploads BLOB storage account and authenticated to the azure cloud client certificates.
Overall it with Visual Studio is very simple and fast to create the appropriate certificates, and to distribute them to the appropriate locations through the function
“Publish to Azure” that requires requires developer know-how or you experience with the Visual Studio.

CSUpload syntax reference:

Managing disks and images:

How to:

the article above refers to:


CSUPLOAD how to?

# Create exportable certificate for Azure (use -pe to be exportable)
makecert -r -pe -n “CN=My Azure IaaS Cert2048” -a sha1 -ss My -len 2048 -sy 24 -b 07/08/2013 -e 07/08/2014

then open mmc,load certificates snap-in, My user, personal,
select the certificate, export
to D:\Contoso

upload the certificate, from the Azure portal, settings, certificates management

get the thumbprint: 4D15540AFD7182964651826BE133FB3C868BA4D1

Now with csupload:

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” Set-Connection “SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=”

# just for fun

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-Connection
Windows(R) Azure(TM) Upload Tool version
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead:
ConnectionString          : SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=
SubscriptionId            : eaea9c22-cc5a-4da2-8dd2-d89837f042b7
CertificateSubjectName    : CN=Amadeus Azure IaaS Cert2048
CertificateThumbprint     : 4D15540AFD7182964651826BE133FB3C868BA4D1
ServiceManagementEndpoint :

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-location
Windows(R) Azure(TM) Upload Tool version
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead:
Using the saved connection string…
Location : West US

Location : East US

Location : East Asia

Location : Southeast Asia

Location : North Europe

Location : West Europe

A total of 6 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-hostedservice
Windows(R) Azure(TM) Upload Tool version
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead:
Using the saved connection string…
Name          : amazure
Label         : amazure
Location      : North Europe

A total of 1 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-disk
Windows(R) Azure(TM) Upload Tool version
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead:
Using the saved connection string…
Name                : Contoso-Contoso-0-201308011545510947
Location            : North Europe
OS                  : Windows
LogicalDiskSizeInGB : 128
MediaLink           :
SourceImageName     :

A total of 1 record(s) were found.

Upload a disk (vhd) to Azure:

You can use the Add-Disk parameter of the CSUpload Command-Line Tool to upload a .vhd file and register it in Windows Azure as either an operating system disk or a data disk.
An image is a VHD that has been generalized and is used to create an operating system disk. An operating system disk is a VHD that contains specific settings for a virtual machine.

Specifies a VHD file to be uploaded as a disk. A VHD file that has been uploaded as a disk can be used to create a virtual machine if the file contains an operating system or it can be used to create a data disk that can be attached to a virtual machine.
•–Connection <string> – (Optional if the Set-Connection command has been run) Specifies the connection string that is used to connect to Windows Azure. The connection string contains the identifier of your Windows Azure subscription and the thumbprint of the management certificate that you created to enable API access to the subscription. The connection string is provided in the following format: “SubscriptionID=subscription-id;CertificateThumbprint=cert-thumbprint;ServiceManagementEndpoint=”. You can find the subscription identifier and certificate thumbprint in Management Portal.
•-Destination <string> – Specifies the blob storage account where the VHD file is stored. The destination includes the endpoint of the account, the container in the account where the file is stored, and the name of the VHD file. For example,”;
•-Label <string> – Specifies the identifier that is used for the disk in the Management Portal.
•-LiteralPath <string> – Specifies the location and name of the VHD file to upload as a disk.
•-Name <string> – (Optional) Specifies the name to be used for the VHD file that is being uploaded.
•-OS <string> – (Optional) If the VHD file that is being uploaded contains an operating system to be used with a virtual machine, you must include this parameter with the value of Windows or Linux depending on the type of operating system that is installed.
•-Overwrite – (Optional) Indicates that you intend to overwrite an existing VHD file with a new file.

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination -label SP2010 -literalpath d:\contoso\contoso1.vhd -name contoso1.vhd -os Windows

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination -label EX2010 -literalpath d:\contoso\contoso2.vhd -name contoso2.vhd -os Windows

Microsoft Fasttrack use cases: productivity library

Office 365 deployment advisors: Deployment advisors


How to move Office 365 data to another Office 365 tenant?

this will includes:

  • exchange online mailboxes
  • sharepoint online data
  • onedrive online data

Read those articles:

Microsoft does not provide at the moment the possibility of transferring mailboxes, Sharepoint and OneDrive data in an automated manner between Office365 tenants

It is not possible to connect between the Office365 servers and send data from one to another. However, with the help of third-party tools like MigrationWiz from BitTitan, Quest Migration Manager from Dell, Sharegate-created especially for the Sharepoint and others – you can prepare and go through the migration process.

Third-party tools can only copy the data, not syncing them!

You need to prepare customers that using third party tools to migrate Office365 between tenants, contents of mailboxes and Sharepoint/One Drive data are copied from one location to another. For example, if mail message has been copied to the destination mailbox and will be removed in source mailbox, then it will still exists in the destination.

• OneDrive for Business (or OD4B)

In the Office365’s OneDrive each user gets their own, separate data space on Sharepoint Online server. At the time of writing this article it is 1 TB. Administrators problem is that by default, this is designed as a user private storage, so until changes of permissions they cannot access it and so migrate data. To copy it across the Office365 tenants, administrator permissions needs to be added to OneDrive sites. You can achieve this via Powershell script for all OneDrive sites.:

$Creds = Get-Credential
Connect-SPOService -Url -credential $Creds
$Users = Get-SPOUser -Site -limit all| Where-Object {$_.LoginName -like ‘*DOMAINNAME.DOMAIN*’}
$Users = $Users.LoginName | ForEach-Object { $_.TrimEnd(“DOMAINNAME.DOMAIN”) } | ForEach-Object { $_.TrimEnd(“@”) }
$Users | ForEach-Object {Set-SPOUser -Site”$_”_DOMAINNAME_DOMAIN/ -LoginName -IsSiteCollectionAdmin $true}

or only for selected OneDrive’s if you prepare list beforehand (here it is named O4bUsers.csv)

$Creds = Get-Credential
Connect-SPOService -Url -credential $Creds
$Users = import-csv ./O4bUsers.csv
$Users | ForEach-Object { Set-SPOUser -Site $_.url -LoginName -IsSiteCollectionAdmin $true }

The second issue related to OneDrive migration, is the fact that when you move its data to a new tenant, you need to prepopulate O4B sites first-they are not automatically created when you assign license to Office365 user.

Here comes Powershell again, however it is required to use complex script and prepare a list of accounts to be created beforehand.

You can get relevant information here:

During preparation of migration batches, be careful entering account parameters.

OneDrive and Sharepoint links will change accordingly to the domain connected to user UPN – that is when UPN (login name) changes, OneDrive url will change too – for example:

can change to:

Due to this process, you must set the correct source and destination addresses in the migration tools. Be aware and do not migrate data in the wrong way!

• SharePoint world

Although it is integrated with other Office365 services, it is a separate environment, which is governed by its own laws. It can have its own set of users, permissions, and services you need to keep in mind during the migration.

Microsoft has no out of the box solution to transfer data, configuration and structure between Office365 tenants, however, there are third-party tools which can help you with the migration.

The complexity of all of the Sharepoint features causing that there is no application that can mirror everyone environment in the new place. Every tool on the market has always some limitations. You need to check the documentation for a list of functions and properties that can be included in the migration and exceptions that just cannot be migrated.

Even though you choose the best tool, it is useful to have Sharepoint specialist on board on the planning phase, during and just after migration to help solving emerging problems.

• Switching domain-downtime in the mail delivery

To move organization data from one Office365 tenancy to the other, one of the steps you need to perform is a domain migration. You cannot assign the same domain to two Office 365 tenants. You need to remove it from the existing one first, then add and verify in the second. This will be possible if you remove any domain aliases assigned to Office365 objects -mailboxes, groups, contact. This step is critical, because removing domain will stop mail flow directed to it.

If we do not use additional servers, which can take over the mail traffic for the duration of the switching domains (switching consists of removing, adding and verifying domain, changing MX records, waiting for DNS replication), for example hybrid on-premises Exchange Server, or Linux server – there will be a downtime in the mail service for selected domain.

You have to get this into account during planning stage and preparing migration steps for customer.

It is even more important when there are many, sometimes several hundred SMTP (mail) domains to migrate between the Office365 tenants, and at the same time you can get the verification code only up to 50 domains.

It is possible that you can also encounter unplanned obstacles, for example in the form of damaged objects – in my case it was when I cannot remove aliases and needed to remove object completely.

Some migration solutions:

for sharepoint:

read the article:

for onedrive:

All in one suite:



Office 365 objects:

How to recognize objects created directly in the Office 365? You can check date of their synchronization with the AD. Cloud users, groups and contacts which have never been synchronized with the directory service, will have the lastdirsynctime parameter set to null ($null).

Powershell commands to check cloud identities:

get-msoluser-all | where {$ _. lastdirsynctime-eq $null}

get-msolgroup-all | where {$ _. lastdirsynctime-eq $null}

get-msolcontact-all | where {$ _. lastdirsynctime-eq $null}


On Office 365 landing page:

How to Disable OneDrive for Business in Office 365

On Office 2016 package – by GPO:


Possible causes of O365 authentications failures:


ADFS account lockouts:


Protecting against DDOS and accounts lockouts:

AD FS Extranet Lockout: a case of the unintended pun

The threshold for Extranet Lockout Protection should be configured to be lower than the Lockout settings in Windows AD, so ADFS can stop trying to log on before it’s too late

Warning: the availability of the PDC is mandatory for WAP (proxy)-based authentications: look this article for more details:

ADFS attacks (video):




Azure AD Connect resources

The Microsoft replacement of Dirsync and AADSync is called AAD Connect.This new tool will install and configure the new Azure AD Synchronization Services (AAD Sync) and also the ability to deploy, install and configure AD Federated Services for authentication as well as Password Sync.

Azure AD connect download:

Azure AD connect version history:

Understanding concepts: Full Import, Full Synchronization, Delta Import, Delta Synchronization, Connector Space, Metaverse ;

Azure AD connect install:

Azure AD connect custom install:

Azure AD connect health:

Azure AD connect health agent installation:

Azure AD connect “high availability” (in reality it is called “staging mode”):

How to uninstall manually AADConnect:

AADConnect user accounts and permissions:

Enable TLS 1.2 for AADConnect:

Azure AD powerShell cmdlets:

Azure AD connect:

  • Azure AD Connect requires a SQL Server database to store identity data. By default a SQL Server 2012 Express LocalDB (a light version of SQL Server Express: is installed and the service account for the service is created on the local machine. SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, you need to point the installation wizard to a different installation of SQL Server.
  • If you use a separate SQL Server, then these requirements apply:
    • Azure AD Connect supports all flavors of Microsoft SQL Server from SQL Server 2008 (with SP4) to SQL Server 2014. Microsoft Azure SQL Database is not supported as a database.
    • You must use a case-insensitive SQL collation. These are identified with a _CI_ in their name. It is not supported to use a case-sensitive collation, identified by _CS_ in their name.
    • You can only have one sync engine per database instance. It is not supported to share the database instance with FIM/MIM Sync, DirSync, or Azure AD Sync.


Previous articles:


Azure AD Sync Services

AADSync has been released in Oct 2014.

Azure AD Sync is optimized for all organizations to easily on-board to Azure and take advantage of both Microsoft online services such as O365 and a world of connected SaaS applications.

Azure AD Sync Services is slated to get a number of new capabilities that DirSync and Forefront Identity Manager 2010 R2 won’t get.

Azure AD Sync Services can do some things that DirSync can’t. It can synchronize multiforest AD environments. It can sync a small set of user attributes. It can also map multiple Exchange deployments to a single Azure AD tenant.

However, Azure AD Sync Services currently lacks a few of DirSync’s capabilities. etc…

AADSync download:

AADSync setup:





How do I configure WAP in Windows Server 2012 R2 highly available?

Web Application Proxy (WAP) in Windows Server 2012 R2 provides a reverse proxy service enabling services hosted internally on-premises to be published to the Internet. It does this while also integrating with Active Directory Federation Services (ADFS) to enable pre-authentication, single sign-on and more. If you need to use WAP in a production scenario its important that the WAP service is highly available. This is achieved by deploying multiple WAP instances that use the same certificate and connect to the same ADFS instance to ensure consistent policy. Network load balancing is used to provide a virtual IP that joins the multiple WAP instances into a single highly available service. You can use either Windows NLB or a separate load balancing solution.

Working with WAP:

A step-by-step guide is available which walks through configuring two WAP servers using Windows NLB at As part of the same series it also walks through deploying a highly available ADFS implementation which is important as all parts of the solution need to be highly available to provide a highly available complete solution.

Do I need multiple NICs for Web Application Proxy?

No. Web Application Proxy has no requirements or preference around the number of network adapters. The decision to have multiple NICs is dependent only on your network topology and if you need multiple network adapters to enable the connectivity required

Best practice analyzer:

Example of implementation:



Office 365 usage reports permissions:

       Limitation: Who can see Office 365 Reports? You must be a global administrator in Office 365 or an Exchange, SharePoint, or Skype for Business       administrator to see Office 365 reports.

Assigning admin roles:

Assigning admin roles with PowerShell:

View your access and usage reports:

There is different ways to achieve BUs delegation:
o   Split to multiple tenants (other impacts)
o   Use a packaged third party offer (for example
It should also be possible to use group management provided by Azure AD (Azure AD Premium subscription required), but that need to be confirmed in term of feasibility and supportability:
Azure AD Delegated Group Management: Feature walk through


Please note that Azure AD Premium currently offers (in Preview)  a solution about delegation:

First impressions:

ADFS overview:

Technet videos:

ADFS how to for Office 365 :

Replacing ADFS certificates:

Enable auditing of issued claims:

WAP (Web application proxy):

WAP Deployment using powershell: 

Upgrading from ADFS 2.x to 3.0:


We cannot upgrade a 2012 ADFS Proxy to 2012 R2 ADFS Proxy

We cannot mix a proxy in 2012 ADFS Proxy with internal ADFS in 2012 R2

For proxies:

Add new WAP Proxy server box (2012 R2) on DMZ zone

For internal ADFS servers:

Add new 2012 R2 box on same zone than internal ADFS servers

Migrate WID DB from existing ADFS internal servers to the new 2012 R2 box


DNS Vip of HWLB in front of the ADFS proxies (exposed to internet) for will not change

DNS Vip of HWLD in front of the internal ADFS servers for will not change

But you need to add:

New WAP IP@s on HWLB device for ADFS-Proxy pool

Add new ADFS 2012 R2 IP@s on HWLB device for ADFS-Internal pool


ADFS v2.1

ADFS deep dive planning and design:

ADFS deep dive certificate planning:

Main Portal:

Technet videos:

Certificates requirements: Also previous: . In general a standard SSL certificate will be sufficient and you can use the same certificate for token signing and SSL communications (if acceptable by your security policy).

Certificate Requirements for Federation Server Proxies:

Federation server proxies are usually exposed to computers on the Internet that are not included in your enterprise public key infrastructure (PKI). Therefore, use a server authentication certificate that is issued by a public (third-party) certification authority (CA), for example, VeriSign or Comodo. When you have a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. It is important to verify that the subject name in the server authentication certificate matches the Federation Service name value that is specified in the AD FS 2.1 Management snap-in. To locate this value, open the snap-in, right-click Service, click Edit Federation Service Properties, and then find the value in Federation Service name text box. Note: Client authentication certificates are not required for AD FS 2.0 federation server proxies.

How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates:


Prepare your network for federation servers:

and create A records for your AD Federation service name not CNAME !

BIG-IP hw load balancers and ADFS:

Backup ADFS:

Migrate ADFS DB to SQL:

Installation checklist :

In addition, this is an excellent article on configuring ADFS v. 2.0:


example of implementation with a cloud service:

ADFS design and deployment:

Understanding the ADFS proxy:

Planning Federation Server Proxy Placement:

Troubleshooting federation server proxy problems:

How to test if ADFS is functioning:

Guidance for Selecting and Utilizing a Federation Service Name:

Proxy Management:

Cmdlets in Windows PowerShell:

Replacing ADFS certificates:

Enable auditing of issued claims:


Other web resources about ADFS:


Use cases:

Steps by steps and use cases: