Category: Office365


Article about multi environments in a single tenant:

An environment is a space to store, manage, and share your organization’s business data, apps, and flows. They also serve as containers to separate apps that may have different roles, security requirements, or target audiences:

https://flow.microsoft.com/fr-fr/blog/intro-flow-admin-center/

https://docs.microsoft.com/en-us/flow/environments-overview-maker

https://docs.microsoft.com/en-us/power-platform/admin/environments-overview

 

Advertisements

Azure AD Sync issues:

 

https://gallery.technet.microsoft.com/scriptcenter/Common-Azure-AD-Sync-Issues-0f0025e1#content

 

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Sync-Error-Reports-in-AzureAD-Connect-Health-are-now-in-Public/ba-p/245151

Here are resources about Azure and Office365,

let me summarize:

Office365 : is an offer of MS services and hosted applications – Saas ; in clear you pay for a service (sharepoint,exchange,office…) and you don’t manage the infra behind (like CPU,RAM,Storage,Security)

Azure: is a cloud (private/public) offer – paas/Iaas ; compared to Office365, MS provide just the plumbery (hyper-v, Storage, CPU, RAM, network) and you manage the applications, the Operating system, the security and patches, the applications ; in short “it is like a lego or a Mecano!”, and with Azure you can mix your on-premises IT infra with Azure in the cloud (and vice-versa)

Web resources for Azure  / Office 365:

Azure tips and tricks: https://azure.microsoft.com/en-us/blog/azure-tips-and-tricks-become-more-productive-with-azure/

Manage VM: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/

Office 365 for business get started: https://support.office.com/en-us/article/Get-started-with-Office-365-for-business-d6466f0d-5d13-464a-adcb-00906ae87029

Fasttrack: http://fasttrack.microsoft.com/office/drive-value/engage

Productivity library (scenarios): http://fasttrack.microsoft.com/office/envision/productivitylibrary

Technical decks: https://channel9.msdn.com/Events/Ignite/2016?sort=status&direction=desc&r%5B0%5D=Office%20365&page=2

Technical references: https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx

Videos: https://www.youtube.com/user/OfficeGarageSeries

eLearning: https://mooc.office365-training.com/en/

Roadmap: https://products.office.com/en-us/business/office-365-roadmap

Azure AD Blog: http://blogs.technet.com/b/ad/

Azure Powershell: https://azure.microsoft.com/en-us/blog/azps-1-0/?utm_content=buffer067b3&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Azure RMS blog: http://blogs.msdn.com/b/rms/

‘In the Cloud’: http://blogs.technet.com/b/in_the_cloud/

Office blog: http://blogs.office.com/    and   http://office.microsoft.com/en-us/

Intune blog: http://blogs.technet.com/b/microsoftintune/

Azure training kit: http://www.microsoft.com/en-us/download/details.aspx?id=8396

FAQ and enhancement suggestions: http://www.mygreatwindowsazureidea.com/forums/34192-general-feedback

portal and management: https://manage.windowsazure.com

main: http://www.windowsazure.com     calculatrice: http://aka.ms/calculatrice      white papers: http://aka.ms/livresblancs     FR blog: http://aka.ms/AzurBlogFr

Security: http://aka.ms/trustcenter   http://aka.ms/px2ahn

To go deeper:  http://aka.ms/MsdnAzureFr     Forum: http://aka.ms/ForumSupport     channel9:  http://aka.ms/Channel9AzureFr     Dashboard/SLAB: http://aka.ms/AzureDashboard

Blogs: http://blog.jeanlucboucho.com

Renew federation certificates for Office 365 and Azure Active Directory:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-o365-certs

Prerequisites before using Azure:

Prepare your environment: http://msdn.microsoft.com/en-us/library/windowsazure/jj554332.aspx

Need certificates: http://msdn.microsoft.com/en-us/library/windowsazure/gg981929.aspx

How to use CSUpload?

How do you get CSUPLOAD?

CSUPLOAD is part of the Windows Azure SDK. After installing all components, it finds you csupload under the following path:
“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload.exe”
How does CSUPLOAD work?

CSUPLOAD is a command console program that the VHDs in the uploads BLOB storage account and authenticated to the azure cloud client certificates.
Overall it with Visual Studio is very simple and fast to create the appropriate certificates, and to distribute them to the appropriate locations through the function
“Publish to Azure” that requires requires developer know-how or you experience with the Visual Studio.

CSUpload syntax reference:
http://msdn.microsoft.com/en-us/library/gg466228.aspx

Managing disks and images:
http://msdn.microsoft.com/en-us/library/windowsazure/jj672979.aspx

How to:http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http://blogs.technet.com/b/patrick_heyde/archive/2012/07/12/windows-azure-csupload-setup-amp-how-to.aspx

the article above refers to: http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fblogs.msdn.com%2Fb%2Favkashchauhan%2Farchive%2F2011%2F09%2F21%2Fhow-to-generate-2048-bit-certificate-with-makecert-exe.aspx

Example:

CSUPLOAD how to?

# Create exportable certificate for Azure (use -pe to be exportable)
makecert -r -pe -n “CN=My Azure IaaS Cert2048” -a sha1 -ss My -len 2048 -sy 24 -b 07/08/2013 -e 07/08/2014

then open mmc,load certificates snap-in, My user, personal,
select the certificate, export
to D:\Contoso
MyAzureCertificate.cer

upload the certificate, from the Azure portal, settings, certificates management

get the thumbprint: 4D15540AFD7182964651826BE133FB3C868BA4D1

Now with csupload:

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” Set-Connection “SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net”

# just for fun

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-Connection
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
ConnectionString          : SubscriptionId=eaea9c22-cc5a-4da2-8dd2-d89837f042b7;CertificateThumbprint=4D15540AFD7182964651826BE133FB3C868BA4D1;ServiceManagementEndpoint=https://management.core.windows.net/
SubscriptionId            : eaea9c22-cc5a-4da2-8dd2-d89837f042b7
CertificateSubjectName    : CN=Amadeus Azure IaaS Cert2048
CertificateThumbprint     : 4D15540AFD7182964651826BE133FB3C868BA4D1
ServiceManagementEndpoint : https://management.core.windows.net/

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-location
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Location : West US

Location : East US

Location : East Asia

Location : Southeast Asia

Location : North Europe

Location : West Europe

A total of 6 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-hostedservice
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name          : amazure
Label         : amazure
Location      : North Europe

A total of 1 record(s) were found.

D:\Contoso>”C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” get-disk
Windows(R) Azure(TM) Upload Tool version 2.0.0.0
for Microsoft(R) .NET Framework 3.5
Copyright c Microsoft Corporation. All rights reserved.

Warning: CSUpload.exe will be deprecated in a future release. Use the Windows Azure PowerShell cmdlets instead: http://go.microsoft.com/?linkid=9811175&clcid=0x409.
Using the saved connection string…
Name                : Contoso-Contoso-0-201308011545510947
Location            : North Europe
OS                  : Windows
LogicalDiskSizeInGB : 128
MediaLink           : http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/amazure-Contoso-2013-08-01.vhd
SourceImageName     : a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-Datacenter-201306.01-en.us-127GB.vhd

A total of 1 record(s) were found.

—————————————–
Upload a disk (vhd) to Azure:

You can use the Add-Disk parameter of the CSUpload Command-Line Tool to upload a .vhd file and register it in Windows Azure as either an operating system disk or a data disk.
An image is a VHD that has been generalized and is used to create an operating system disk. An operating system disk is a VHD that contains specific settings for a virtual machine.

Specifies a VHD file to be uploaded as a disk. A VHD file that has been uploaded as a disk can be used to create a virtual machine if the file contains an operating system or it can be used to create a data disk that can be attached to a virtual machine.
•–Connection <string> – (Optional if the Set-Connection command has been run) Specifies the connection string that is used to connect to Windows Azure. The connection string contains the identifier of your Windows Azure subscription and the thumbprint of the management certificate that you created to enable API access to the subscription. The connection string is provided in the following format: “SubscriptionID=subscription-id;CertificateThumbprint=cert-thumbprint;ServiceManagementEndpoint=https://management.core.windows.net”. You can find the subscription identifier and certificate thumbprint in Management Portal.
•-Destination <string> – Specifies the blob storage account where the VHD file is stored. The destination includes the endpoint of the account, the container in the account where the file is stored, and the name of the VHD file. For example,”http://auxpreview146imagestore.blob.core.azure-preview.com/mydisks/mydisk.vhd&#8221;
•-Label <string> – Specifies the identifier that is used for the disk in the Management Portal.
•-LiteralPath <string> – Specifies the location and name of the VHD file to upload as a disk.
•-Name <string> – (Optional) Specifies the name to be used for the VHD file that is being uploaded.
•-OS <string> – (Optional) If the VHD file that is being uploaded contains an operating system to be used with a virtual machine, you must include this parameter with the value of Windows or Linux depending on the type of operating system that is installed.
•-Overwrite – (Optional) Indicates that you intend to overwrite an existing VHD file with a new file.

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/SP2010.vhd -label SP2010 -literalpath d:\contoso\contoso1.vhd -name contoso1.vhd -os Windows

“C:\Program Files\Microsoft SDKs\Windows Azure\.NET SDK\v2.0\bin\csupload” add-disk -destination http://portalvhdsncdc9022xjxbf.blob.core.windows.net/vhds/EX2010.vhd -label EX2010 -literalpath d:\contoso\contoso2.vhd -name contoso2.vhd -os Windows

Introduction

 

  • A number of organizations use AD FS for SSO capabilities, but all such organizations do not have HA or Site resilience added to AD FS Deployment
  • The Password Sync option can be a great backup solution while AD FS is offline or while you are fixing AD FS problems
    • DirSync is already a core component required for AD FS, just required to enable the Password Sync feature
    • Alternatively, you could have Password Sync enabled running all the time. Does not interfere with SSO
    • During AD FS failure, fallback to Password Sync can be done through couple of methods. But it will takes time (up to 72 hours) to be effective for the users. Those methods must be only enabled in case of Disaster.

Implementation Method1

 

  • Method 1: Using Set-MsolDomainAuthentication cmdlet
    • This cmdlet is a good temporary option, as it,
      • Does not require AD FS to be online
      • Will only update the settings in Microsoft Online Services
      • Will not remove the Office 365 relying party trust information from AD FS
      • Will not change the User objects (from federated to standard)
    • Process to switch to Password sync:
        • Enable Password Sync (if not already enabled)

       

    • Set-MsolDomainAuthentication –DomainName <Domain Name> -Authentication Managed
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
      • Force full Password sync, if required
    • Revert to AD FS or SSO:
      • Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)
      • This cmdlet will revert the domain back to Federated, and will re-establish the relying party trust
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed

Implementation Method 2

 

  • Method 2: Using Convert-MsolDomainToStandard cmdlet
    • Is good for either temporary or exclusive switch over to Password Sync
      • Requires AD FS to be online
      • Will remove relying party trust information from MFG and on-premises AD FS (cleans-up)
      • Optionally converts Federated users to Standard users (which enables ‘change password’ option for them in portal)
      • Resets and generates temporary passwords for these users (can be overwritten with Password Sync)
      • Limited to process only 1000 user objects (use Convert-MsolFederatedUser or this script for more than 1000 objects)
      • Use Get-Msoldomain cmdlet to check if the domain is in mode Managed and not Federated
    • Process to switch to Password sync:
      • Enable Password Sync (if not already enabled)
      • Convert-MsolDomainToStandard -DomainName <Domain Name> -SkipUserConversion $True or, for permanent switchover that could take two hours, use -SkipUserConversion $false
      • 3. Force full Password sync
    • Revert to AD FS or SSO:

Convert-MsolDomainToFederated –DomainName <DomainName> (requires AD FS online)

      • Use Get-Msoldomain cmdlet to check if the domain is in mode Federated and not Managed

Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,

https://www.itpromentor.com/aip-vs-365-labels/

https://www.petri.com/unifying-office-365-sensitivity-labels

 

MS technet:

S&C labels: https://docs.microsoft.com/en-us/Office365/SecurityCompliance/sensitivity-labels

AIP labels: https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-protection

 

 

https://docs.microsoft.com/en-gb/office365/admin/manage/release-options-in-office-365

Azure AD B2B resources

https://docs.microsoft.com/fr-fr/azure/active-directory/b2b/what-is-b2b

  • The partner uses their own identities and credentials; Azure AD is not required.
  • You don’t need to manage external accounts or passwords.
  • You don’t need to sync accounts or manage account lifecycles.

Managing externals:

https://predica.pl/blog/guests-in-the-cloud-how-to-safely-manage-external-users-using-azure-ad-b2b/

SharePoint Online Azure AD B2B – Custom email invites for users using PowerShell

Powershell to invite B2B users:

https://github.com/Azure/azure-docs-powershell-azuread/blob/master/azureadps-2.0/AzureAD/New-AzureADMSInvitation.md

https://www.adamfowlerit.com/2017/03/azure-ad-b2b-powershell-invites/

https://justidm.wordpress.com/2017/05/07/azure-ad-b2b-how-to-bulk-add-guest-users-without-invitation-redemption/

How to identify stale guest users:

https://www.undocumented-features.com/2018/06/22/how-to-find-staleish-azure-b2b-guest-accounts/

script: https://gallery.technet.microsoft.com/scriptcenter/Report-on-Azure-AD-Stale-8e64c1c5

External sharing:

with SPO: https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview

with OneDrive: https://docs.microsoft.com/en-us/onedrive/manage-sharing

with MS Teams: https://docs.microsoft.com/en-us/microsoftteams/let-your-teams-users-communicate-with-other-people

Sharing and collaboration:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-inter-tenant-collaboration

B2B Collaboration in Hybrid Identity Scenario

B2B Collaboration in Hybrid Identity Scenario – Part II

By default Azure AD connect will synchronize disabled accounts from AD to AAD. It is normal and is it recommended due to Exchange hybrid and EXO requirements.

 

It is possible to create a custom rule on AD Sync rules editor to not synchronize disabled AD accounts:

https://spanougakis.wordpress.com/2016/02/28/how-to-stop-disabled-user-accounts-from-syncing-with-azure-ad-connect/

 

Office 365 – Assigning licenses

Managing licenses with AzureAD module:

https://practical365.com/blog/managing-office-365-licenses-with-azure-ad-v2-powershell-module/

 

Managing licenses with MSonline module:

https://gcits.com/knowledge-base/get-office-365-users-specific-license-type-via-powershell/

https://www.morgantechspace.com/2018/02/check-if-office-365-user-is-licensed-or-not-powershell.html

 

Assign licenses with AzureAD groups:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

 

 

 

As we prepare for the migration from on-premises Skype for Business to Skype for Business Online, there are a few important considerations to bear in mind before you take the leap. I will be covering these in a series of posts (hopefully), today I want to share with you a common scenario we will face while preparing for migration.

We are well aware of the pre-requisite for Office 365 that demands an Active Directory synchronised user must have a publically routable User Principal Name (UPN). So critical is this requirement that it is now engrained in every consultant’s mind and increasingly customers are becoming more aware of this without us even mentioning it. However, this can often produce its own unique challenges.

Many organisations set their users up with an ambiguous username, something that does not immediately identify a user by name e.g. a134g@domain.com rather than markv@domain.com. This is to avoid name conflicts and was often used as an additional domain security measure. When a user is synchronised to Office 365 their UPN is used to provision the identity and service addresses for Exchange and Skype for Business. Often the case is that users UPNs do not match their publically available contact information such as their e-mail address. E-mail addresses are usually more personable to each users and contain their true identity e.g markv@domain.com. In order to integrate Skype for Business Online with Exchange properly it is important that the user’s SIP address matches their primary e-mail address i.e. markv@domain.com and not a134g@domain.com.

However, when you perform an AD Sync with Office 365 the user’s Skype for Business Online identity is provisioned using the UPN like so:

On-premises Identity (UPN = a134g@domain.org)

Synchronised Identity in Office 365 Portal also a134g@domain.org

PowerShell output showing primary SIP Address in Skype for Business Online


In order to change this, the solution is to look and edit the on-premises identity, as this is the source of authority for this person’s cloud identity. Specifically, we need to modify an attribute on the user’s Active Directory account called msRTCSIP-PrimaryUserAddress. In order to find this attribute, your on-premises Active Directory domain is required to be prepared for Lync / Skype for Business On-premises. Therefore, you may need to download the on premises software and run AD schema preparation to have this property available. I say may read on.

First change find and change this attribute

Click on edit and enter the desired address in this format: sip:markv@domain.org

Perform directory synchronisation using AADSync and then check the SIP Address of the online identity. You should see that is has changed

Please note that this only works for synchronised identities. Cloud identities must be provisioned with the primary SIP address as the username.

If you have not prepared your Active Directory domain from on-premises Lync / Skype for Business and do not have the msRTCSIP-PriamryUserAddress attribute, there is an alternative method you can use. Instead we can use the ProxyAddresses attribute that is natively part of Active Directory. This attribute is the same on you use for provisioning e-mail addresses to get around the same issue as we have. Open the ProxyAddressess attribute and add a new Proxy Address into the list using the following format: sip:markv@domain.org

Perform a directory synchronisation and test the SIP address has been updated correctly