Setting up Office 365

This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:

This is what you need:

  • Windows Server 2008 R2 for DirSync.
  • Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
  • Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
  • Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
  • Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
  • Active Directory service account for ADFS, e.g. ADFS2SVC.
  • SSL certificate for ADFS, e.g. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
  • External DNS record for to point at ADFS proxy. In internal DNS it should point at internal ADFS.

Information about setting up DirSync:

Read more about SSO with ADFS:

  • Make sure you have the service account created.
  • Make sure you have the SSL certificate available.
  • You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
  • Make sure DNS records are correct. ADFS proxy needs to finns ADFS on
  • Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).

According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.

Good luck!

Microsoft releases Office 365 wave 15

Microsoft today released “Next-Generation Office 365 for Business”, wave 15. At an online virtual launch event, Kurt DelBene (President Microsoft Office Division) and John Case (Corporate VP) presented the new wave of Office 365 building on Exchange 2013, Lync 2013 and SharePoint 2013.

Link to press release:

Set subscription with Powershell

When users have been synchronized to Office 365, they lack subscription, which means they cannot access Exchange, Lync or SharePoint. Microsoft has documentation on how to activate synced users with the GUI. This can be automated using Powershell.

 # Connect to service $Username = "" $Password = ConvertTo-SecureString P@ssword" -AsPlainText -Force $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password Connect-MsolService -Credential $Credentials # Set location Get-MSOLUser -UnlicensedUsersOnly | Set-MSOLUser -UsageLocation "SE" # Set subscription Get-MSOLUser -UnlicensedUsersOnly | where{$_.Title -eq "Student"} | Set-MsolUserLicense -AddLicenses "contoso:STUDENTPACK" Get-MSOLUser -UnlicensedUsersOnly | where{$_.Title -eq "Teacher"} | Set-MsolUserLicense -AddLicenses "contoso:FACULTYPACK" 

Script to set new password in Office 365

The following script can be used to set new password in Office 365. Replace username and password of service account and save file as Set-Password.ps1.

Set-Password.ps1 -UserPrincipalName [UserPrincipalName] -NewPassword [NewPassord]

   [parameter(Mandatory = $true)][string]$UserPrincipalName,
   [parameter(Mandatory = $true)][string]$NewPassword

function Set-Password()
   # Connect to service
   $Username = ""
   $Password = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
   $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
   Connect-MsolService -Credential $Credentials

   # Reset password
   $pwd = ConvertTo-SecureString $NewPassword -AsPlainText -Force
   Set-MsolUserPassword -UserPrincipalName $UserPrincipalName -NewPassword $pwd -ForceChangePassword $false

Set-Password -UserPrincipalName $UserPrincipalName -NewPassword $NewPassword

Updates to Live@edu upgrade process

The Microsoft Live@edu upgrade team has been working very hard to make sure the transition from Live@edu to Office 365 will be as smooth as possible. Two new features have recently been announced:

No downtime throughout the upgrade

Earlier the upgrade required a few hours downtime, but this has been altered by the service team.

The duration of the upgrade is dependent on the size of your institution, and can take days to complete, but users won’t experience any downtime throughout the upgrade.

Password copy

The password is now copied from Live@edu to the new Office 365 account, which reduces complexity when informing the users about the service changes.

The first scheduled batches of upgrades have just started and will continue the next couple of months. The customers will receive their first email approximately 30 days
before their scheduled date.

External users in Office 365

SharePoint Online in Office 365 provides access external users. From any site in SharePoint you can invite an external user by adding th email address either to the visitors or the members group. It is recommended that you use unique permissions when you create a subsite you want to share with external users. If you haven’t done this, break role inheritance and go to the url /_layouts/permsetup.aspx to create unique groups for the site.

First, create a new subsite with unique permissions. Let’s call it Customers.

Make sure three new groups are created for the site.

Go to Share site and add the email address of the user.

After clicking Share you will be notified the site has been shared with an external user. The person you have invited to the site receives an email that includes a link to accept the invitation. To accept the invitation, the invitee needs to provide an email address that is associated with a Microsoft account, or, if they’re an existing Office 365 customer, a Microsoft Online Services ID. If they don’t have an email address or a Microsoft account, they can create one for free.

The email address that is associated with the Microsoft account, the Hotmail, Live, or MSN address, or the Microsoft Online Services ID is the email address the person uses to log in to your SharePoint site. After login, the user will be added to the group.

The user claim for this Hotmail account is shown below.

To add the user to other groups on other sites, use the people and add the email address.

The people picker will probably neither be able to find the account nor will you be able to search for it, so you need to know the exact email address to add the user to other sites.