Deploying Office 365

To get started with Office 365, this is a quick setup:


You will need:

  • 3-5 servers, Windows Server 2012 R2
    • AAD Sync, must be domain joined
    • ADFS01, must be domain joined
    • ADFS02, must be domain joined
    • WebProxy01, should not be domain joined
    • WebProxy02, should not be domain joined
  • SSL certificate for federation gateway, e.g., it should be installed on all ADFS servers and Web Proxies.
  • Access to all servers with installation account, which must be Domain Admin.
  • Two AD service accounts, e.g. SVC-AADSYNC änd SVC-ADFS. Both have to be Domain User. AADSYNC will need more permissions for hybrid deployment:
  • Service account in Office 365 which is Global Administrator.
  • Internal DNS for pointing to ADFS-NLB.
  • External DNS for pointing to Web Proxy-NLB.
  • Office 365 tenant with licenses for your users.
  • Testaccounts!

Please document setup well. Happy clouding!

Free Office Pro for students

Today Microsoft annonced a new education program called “Student Advantage”, which means students can get Office Pro for free if the institution have licenses for faculty and staff.

Beginning Dec. 1, any academic institution that licenses Office for staff and faculty can provide Office 365 ProPlus for students at no additional cost.

Most institutions deploying Office 365 have so far used the free A2 for both faculty and for students, but if A3 were deployed for faculty, there is an option to add Office Pro for students (A2 + Office Pro).

Read the entire annoncement from Anthony Salcito:

Password Synchronization

Microsoft has released a new feature in an update version of the Windows Azure Active Directory Sync tool, Password Synchronization. When activated, user’s on-premises Active Directory passwords will be copied to Windows Azure Active Directory (Azure AD), allowing the customer to use their on-premises password to log into their Office 365, InTune, CRM Online and other Online Services account. Changes to on-premises password are synced to the cloud in minutes (not every three hours).

Enable Password Synchronization

Uninstall old Directory Sync tool
The old Directory Synchronization tool must be uninstalled

Enable Password Synchronization
To enable Password Sync for your tenant use the following cmdlet syntax

Set-MsolPasswordSyncEnabled –EnablePasswordSync $true

Note: Verify the correct PowerShell Module is installed an contains the cmdlet

Install new Directory Sync tool
Install the new Windows Azure Active Directory Synchronization tool Installation of new Windows Azure Active Directory Synchronization tool requires a “full” sync. Please use the steps in the following article to optimize the initial full sync after upgrading.

Password Synchronization does not replace Single Sign-on or Identity Federation. Token sharing or exchange does not take place between the customers on-premises environment and Office 365. The Password Sync feature will not synchronize passwords for users with Federated Identities, or actually the Password Sync feature does try to synch the passwords with the FIM client showing “successful” but the Cloud ignores the password reset.

According to Microsoft the Password Synchronization feature is only available with DirSync and not supported with the Office 365 connector for FIM (which is still not released).

Setting up Office 365

This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:

This is what you need:

  • Windows Server 2008 R2 for DirSync.
  • Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
  • Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
  • Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
  • Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
  • Active Directory service account for ADFS, e.g. ADFS2SVC.
  • SSL certificate for ADFS, e.g. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
  • External DNS record for to point at ADFS proxy. In internal DNS it should point at internal ADFS.

Information about setting up DirSync:

Read more about SSO with ADFS:

  • Make sure you have the service account created.
  • Make sure you have the SSL certificate available.
  • You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
  • Make sure DNS records are correct. ADFS proxy needs to finns ADFS on
  • Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).

According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.

Good luck!

Microsoft releases Office 365 wave 15

Microsoft today released “Next-Generation Office 365 for Business”, wave 15. At an online virtual launch event, Kurt DelBene (President Microsoft Office Division) and John Case (Corporate VP) presented the new wave of Office 365 building on Exchange 2013, Lync 2013 and SharePoint 2013.

Link to press release:

Set subscription with Powershell

When users have been synchronized to Office 365, they lack subscription, which means they cannot access Exchange, Lync or SharePoint. Microsoft has documentation on how to activate synced users with the GUI. This can be automated using Powershell.

 # Connect to service $Username = "" $Password = ConvertTo-SecureString P@ssword" -AsPlainText -Force $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password Connect-MsolService -Credential $Credentials # Set location Get-MSOLUser -UnlicensedUsersOnly | Set-MSOLUser -UsageLocation "SE" # Set subscription Get-MSOLUser -UnlicensedUsersOnly | where{$_.Title -eq "Student"} | Set-MsolUserLicense -AddLicenses "contoso:STUDENTPACK" Get-MSOLUser -UnlicensedUsersOnly | where{$_.Title -eq "Teacher"} | Set-MsolUserLicense -AddLicenses "contoso:FACULTYPACK" 

Script to set new password in Office 365

The following script can be used to set new password in Office 365. Replace username and password of service account and save file as Set-Password.ps1.

Set-Password.ps1 -UserPrincipalName [UserPrincipalName] -NewPassword [NewPassord]

   [parameter(Mandatory = $true)][string]$UserPrincipalName,
   [parameter(Mandatory = $true)][string]$NewPassword

function Set-Password()
   # Connect to service
   $Username = ""
   $Password = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
   $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
   Connect-MsolService -Credential $Credentials

   # Reset password
   $pwd = ConvertTo-SecureString $NewPassword -AsPlainText -Force
   Set-MsolUserPassword -UserPrincipalName $UserPrincipalName -NewPassword $pwd -ForceChangePassword $false

Set-Password -UserPrincipalName $UserPrincipalName -NewPassword $NewPassword

Updates to Live@edu upgrade process

The Microsoft Live@edu upgrade team has been working very hard to make sure the transition from Live@edu to Office 365 will be as smooth as possible. Two new features have recently been announced:

No downtime throughout the upgrade

Earlier the upgrade required a few hours downtime, but this has been altered by the service team.

The duration of the upgrade is dependent on the size of your institution, and can take days to complete, but users won’t experience any downtime throughout the upgrade.

Password copy

The password is now copied from Live@edu to the new Office 365 account, which reduces complexity when informing the users about the service changes.

The first scheduled batches of upgrades have just started and will continue the next couple of months. The customers will receive their first email approximately 30 days
before their scheduled date.

External users in Office 365

SharePoint Online in Office 365 provides access external users. From any site in SharePoint you can invite an external user by adding th email address either to the visitors or the members group. It is recommended that you use unique permissions when you create a subsite you want to share with external users. If you haven’t done this, break role inheritance and go to the url /_layouts/permsetup.aspx to create unique groups for the site.

First, create a new subsite with unique permissions. Let’s call it Customers.

Make sure three new groups are created for the site.

Go to Share site and add the email address of the user.

After clicking Share you will be notified the site has been shared with an external user. The person you have invited to the site receives an email that includes a link to accept the invitation. To accept the invitation, the invitee needs to provide an email address that is associated with a Microsoft account, or, if they’re an existing Office 365 customer, a Microsoft Online Services ID. If they don’t have an email address or a Microsoft account, they can create one for free.

The email address that is associated with the Microsoft account, the Hotmail, Live, or MSN address, or the Microsoft Online Services ID is the email address the person uses to log in to your SharePoint site. After login, the user will be added to the group.

The user claim for this Hotmail account is shown below.

To add the user to other groups on other sites, use the people and add the email address.

The people picker will probably neither be able to find the account nor will you be able to search for it, so you need to know the exact email address to add the user to other sites.