Category Archives: Office 365

Mappa konton mellan AD och Azure

Posted on by
Reply

Om man vill synka användare från lokalt AD till Azure AD är det rekommenderat att använda AD Connect. Om man redan har användare i Azure AD vill man förmodligen mappa ihop dessa med lokala användare. Första gången man synkar mellan lokalt AD och Azure AD kommer AD Connect att försöka koppla ihop UserPrincipalName i AD med UserPrincipalName i Azure AD, en så kallad soft match. Ibland fungerar inte det av olika anledningar och då kan man själv göra denna mappning. Det gör man genom att skriva in ObjectGUID från AD i fältet ImmutableId i Azure AD. Dock måste man göra en base64-encoding på värdet först. Det går till ungefär så här:

$userPrincipalName = "myuser@powerkjell.com"
adUser = Get-ADUser -Filter { userPrincipalName -eq $userPrincipalName }
$guid = New-Object -TypeName System.Guid -ArgumentList $aduser.ObjectGUID;
$immutableid = [System.Convert]::ToBase64String($guid.ToByteArray());
Set-MsolUser -UserPrincipalName $userPrincipalName -ImmutableId $immutableid

Uppdatera SSL-cert för ADFS

Posted on by
Reply

När man sätter upp ADFS i sin miljö använder man en gateway och ett SSL-certifikat för detta, till exempel fs.contoso.com. Detta SSL-certifikat behöver förnyas och det gör man smidigast med Powershell (så klart!). Logga in på alla ADFS-servrar och lägg till certifikatet. Uppdatera sedan på ADFS följande sätt:

Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint <Thumbprint><br>
Set-AdfsSslCertificate -Thumbprint <Thumbprint>

På Web application proxy kör man följande kommando med Powershell:

Set-WebApplicationProxySslCertificate -Thumbprint <Thumbprint>

Uppdateringen av SSL-certifikat ger en kort störning på några sekunder i miljön.

Mer information från Microsoft finns här:

How to Update Certificates for AD FS 3.0

Sätta forward på brevlåda

Posted on by
Reply

En användare kan enkelt sätta forward på sin e-post till en annan e-postadress. Om man vill göra detta åt sina användare och låsa det så de inte kan ändra det kan man göra det med Powershell.

Set-Mailbox -Identity <Identity> -DeliverToMailboxAndForward $true -ForwardingSMTPAddress <EmailAddress>

Det kan till exempel vara bra att göra om en användare slutat eller är tjänstledig.

Sätta tidszon på brevlåda

Posted on by
Reply

När man tilldelar en användare en Exchange-licens i Office 365 skapas en brevlåda automatiskt. Denna brevlåda får ingen tidszon, utan den måste användaren själv ange. Man kan hjälpa till med detta t.ex. med Powershell:

 
Get-Mailbox <Identity> | Set-MailboxRegionalConfiguration -TimeZone "W. Europe Standard Time"

Man behöver dock vänta 5-10 sekunder från det att licensen tilldelats så att brevlådan hinner skapas upp innan man kör detta kommando. Annars hittas ingen brevlåda och man får ett felmeddelande.

Deploying Office 365

Posted on by
Reply

To get started with Office 365, this is a quick setup:

Office365

You will need:

  • 3-5 servers, Windows Server 2012 R2
    • AAD Sync, must be domain joined
    • ADFS01, must be domain joined
    • ADFS02, must be domain joined
    • WebProxy01, should not be domain joined
    • WebProxy02, should not be domain joined
  • SSL certificate for federation gateway, e.g. fs.domain.com, it should be installed on all ADFS servers and Web Proxies.
  • Access to all servers with installation account, which must be Domain Admin.
  • Two AD service accounts, e.g. SVC-AADSYNC änd SVC-ADFS. Both have to be Domain User. AADSYNC will need more permissions for hybrid deployment: http://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_CreateAnADAccountForTheSyncService
  • Service account in Office 365 which is Global Administrator.
  • Internal DNS for fs.domain.com pointing to ADFS-NLB.
  • External DNS for fs.domain.com pointing to Web Proxy-NLB.
  • Office 365 tenant with licenses for your users.
  • Testaccounts!

Please document setup well. Happy clouding!

Free Office Pro for students

Posted on by
Reply

Today Microsoft annonced a new education program called “Student Advantage”, which means students can get Office Pro for free if the institution have licenses for faculty and staff.

Beginning Dec. 1, any academic institution that licenses Office for staff and faculty can provide Office 365 ProPlus for students at no additional cost.

Most institutions deploying Office 365 have so far used the free A2 for both faculty and for students, but if A3 were deployed for faculty, there is an option to add Office Pro for students (A2 + Office Pro).

Read the entire annoncement from Anthony Salcito: http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/10/15/microsoft-announces-new-student-advantage-program-to-prepare-students-for-tomorrow-s-jobs.aspx

Password Synchronization

Posted on by
Reply

Microsoft has released a new feature in an update version of the Windows Azure Active Directory Sync tool, Password Synchronization. When activated, user’s on-premises Active Directory passwords will be copied to Windows Azure Active Directory (Azure AD), allowing the customer to use their on-premises password to log into their Office 365, InTune, CRM Online and other Online Services account. Changes to on-premises password are synced to the cloud in minutes (not every three hours).

Enable Password Synchronization

Uninstall old Directory Sync tool
The old Directory Synchronization tool must be uninstalled

Enable Password Synchronization
To enable Password Sync for your tenant use the following cmdlet syntax

Set-MsolPasswordSyncEnabled –EnablePasswordSync $true

Note: Verify the correct PowerShell Module is installed an contains the cmdlet

Install new Directory Sync tool
Install the new Windows Azure Active Directory Synchronization tool Installation of new Windows Azure Active Directory Synchronization tool requires a “full” sync. Please use the steps in the following article to optimize the initial full sync after upgrading.

Password Synchronization does not replace Single Sign-on or Identity Federation. Token sharing or exchange does not take place between the customers on-premises environment and Office 365. The Password Sync feature will not synchronize passwords for users with Federated Identities, or actually the Password Sync feature does try to synch the passwords with the FIM client showing “successful” but the Cloud ignores the password reset.

According to Microsoft the Password Synchronization feature is only available with DirSync and not supported with the Office 365 connector for FIM (which is still not released).

Setting up Office 365

Posted on by
Reply

This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:

This is what you need:

  • Windows Server 2008 R2 for DirSync.
  • Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
  • Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
  • Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
  • Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
  • Active Directory service account for ADFS, e.g. ADFS2SVC.
  • SSL certificate for ADFS, e.g. fs.powerkjell.com. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
  • External DNS record for fs.powerkjell.com to point at ADFS proxy. In internal DNS it should point at internal ADFS.

Information about setting up DirSync: http://technet.microsoft.com/en-us/library/hh967642.aspx

Read more about SSO with ADFS: http://technet.microsoft.com/en-us/library/hh967628.aspx

  • Make sure you have the service account created.
  • Make sure you have the SSL certificate available.
  • You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
  • Make sure DNS records are correct. ADFS proxy needs to finns ADFS on fs.powerkjell.com.
  • Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).

According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.

Good luck!