Office 2016 for Mac Update & EXO Authentication Problems – Enable EXO Tenant for ADAL

Posted on Updated on


If you are using Office 2016 for Mac and recently started seeing multiple authentication prompts, you may be using a new ADAL (Active Directory Authentication Library) and your Exchange Online tenant may not be enabled, thus causing authentication problems.1.

To resolve this issue for your Outlook for Mac clients (Windows Outlook can use ADAL, although it must be enabled, however Outlook was automatically updated and is looking for an ADAL Auth response from EXO), follow the steps below.


Turn on modern authentication for Exchange Online

  1. Connect to Exchange Online as shown here.
  2. Run the following command:
    Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
  3. Run the following command to verify that change was successful:
    Get-OrganizationConfig | ft name, *OAuth*


  • Restart your Outlook for Mac client and authenticate


Note – You should NOT receive multiple authentication prompts, although you may need to authenticate the first time, which is saved into your Mac Keychain!

Using EXO Modern Groups for SHD Postings

Posted on

Many Office 365 Service admins do not want to grant Admin rights to people, say in the Help Desk or Support organizations.  Today Admins must grant some sort of Admin role/right for users to check the Services Health Dashboard (SDH), however you might want to consider using Exchange Online Modern Groups to manage SHD postings.

The idea is to create a Modern Group, add the Help Desk members to this group and enable the Modern Group –> Connectors, and add the SHD RSS feed, which will bring these items into the Modern Group, which is effectively a combination of Security & Distribution (SG & DG) groups together, with a Shared Mailbox/Calendar and backing SharePoint Online (SPO) Notebook and Document/Files library.

Note – In order to use Modern Groups, you must have an Exchange Online license and IF you want a backing Notebook (OneNote) and Files (Document Library), the user creating and managing this Modern Group must have an SPO license.


  1. Login to your Exchange Online Mailbox via OWA
    1. Example:
  2. Click the Groups + item in the left navigation pane
    1. modernGroups_Create
    2. Click Create
    3. Fill out all the necessary questions, such as Name, Public versus Private, etc.
    4. createGroup1
    5. Add members as you see fit
    6. createGroup2_AddUsers
  3. Once the Modern Group has been created, use the below URL ‘parameter’ to the Modern Group URL, which will enable the ‘Connectors’ feature to be enabled
    1. &EnableConnectorDevPreview=true
      1. Example of Full URL:
  4. Click Connectors and…
    1. Add this SHD RSS Feed URL: Connectors à Scroll down to bottom and select RSS and enter:–3s –> Save
    2. createGroup3_AddRSSFeed
  5. As items are posted, it is sent to this Modern Group where these Service Desk people can review.
  6. createGroup4_results

UPN-SMTP MisMatch in Office 365: Making EXO/LYO Presence-IM-FB Work for Lync Client

Posted on Updated on

Lync-2010_md For those companies who are not able to align their User Principal Name (UPN) and SMTP (Email) address, such as Email: and UPN:, you may find that your Lync/Skype for Business client is unable to pull free/busy information from Exchange Online. This is due to the difference in ‘logins’ and values, so the below option gives the machine’s Lync client the ability to ‘trust’ these different domains, providing the ability to properly pull IM/Presence and Free/Busy information.

Special thanks to Edward P. for the following information!


  • Sign-out from Lync and Delete Sign-in info
  • Exit Lync and exit Outlook
  • Delete the Tracing , CEIP and sip_user folders in this path %localappdata%\Microsoft\Office\15.0\Lync
  • Delete the Lync registry key from HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\

Manually modify the TrustModelData registry value for this user, Open CMD in Elevated mode and run the cmd below. Note that the below is for Office Lync 2013 client, using the \15.0 registry key.


Reg Add “HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync” /V “TrustModelData” /T REG_EXPAND_SZ /D “,,,,” /F

  •  Start Lync and sign back in

Note – If you are running in Exchange Hybrid Mode, you may have autodiscover.<emailDomain>.com pointing to on-premises Exchange. If this is the case, you will need to create and use a local PC HOSTS file, with autodiscover.<emailDomain>.com pointing to an IP address for this DNS A record:, so your Lync client can connect into Exchange Online to properly pull the F/B information.

SharePoint Online & Sign-In Acceleration – SSO for SPO

Posted on


For those using SharePoint Online, you may have noticed that it does not provide the same home realm discovery that Exchange Online does, with Home Realm discovery meaning the services knows what domain/upn is being used and leveraging that authentication type for the user (Managed/Online versus Federated/ADFS).  SharePoint Online support now supports Sign-In Acceleration, which allows SPO to understand whether a browsing user is a Federated user and send to, with a directive that instructs to then forward the authentication request on to their ADFS deployed endpoint (i.e.

Note – To enable this for your Office 365 tenant, please log a support case for this request and they can fulfill your request!


Once auto-acceleration is enabled, the SPO authentication process works as follows:

  1. The user navigates to in their web browser.
  2. SharePoint receives the request and detects that auto-acceleration is enabled for this tenant by leveraging the domain name in the URL being used to access SPO.
  3. The user is then sent to with extra information in the URL (a whr tag). This tag indicates to AAD that it is safe to accelerate the user directly to the ADFS endpoint,
  4. Once there, the user may enter their credentials and sign-in. In the case of domain-joined machines, the user will be signed in immediately based on browser settings for SSO.

This effectively allows SPO to provide home realm discovery and SSO for users, like Exchange Online does today and will make your SPO users much more happy, reducing the authentication prompts and requests for UPNs/Passwords.

Reconnecting Cloud Users with Old/Previous/Moved AD User Objects

Posted on Updated on

dirsync_thumb For those admins who have been around the Microsoft Cloud Services, such as BPOS and Office 365 2010, you may remember the issue where DirSync takes a user object, takes it’s objectGUID, double-base-64 encodes it and sends to the cloud as a sourceAnchor. This sourceAnchor is used to flag the user as being synchronized by DirSync and managed by an on-premises Active Directory.

For those admins who are or have moved from one Active Directory Forest to another, the objectGUID changes while the online user maintains this old objectGUID/sourceAnchor. SO, what do you do to reconnect the cloud user with the new AD user?  You leverage set-msolUser and set their -ImmutableID, which allows DirSync to hard-match (AD objectGUID == sourceAnchor) and take over management of this cloud object.  If the sourceAnchor does not exist in the cloud, then DirSync does a soft-match, based on SMTP address(es) and if there is a match, DirSync takes over management. BUT in this particular scenario the sourceAnchor overrides a soft-match approach, which is why the –ImmutableID option must be used.

Steps to Set -ImmutableID

Allowing DirSync, AAD Sync, AAD Connect to Take Over Management

  1. Move user to new forest
  2. Take their ObjectGUID, found in Active Directory Users and Computers –> Advanced View –> Attribute Editor tab in user object Properties location OR use ADSIEdit and use this site to convert the “objectGUID” to a “sourceAnchor”, which will then be set to -ImmutableID.
  3. Use the Get/Set-MSOLUser –ImmutableID command to the converted GUID, done in the step above. Reference to command variables:
    1. Set-msoluser –Userprincipalname–ImmutableID “xxxxxxxxx”
  4. Launch DirSync/Sync/Connect and allow it hard match on the user in the cloud and now this Office 365 user is under DirSync/Sync/Connect control.

Reporting on Office 365 Online Users with Services and Licensing Status

Posted on

For those Online Administrators who need to account for Online Users and the Services they are assigned, along with enabled services, this email is for you!  The below is provided as-is and should be placed into a .ps1 PowerShell file, so you can run these commands against the Microsoft Online Services.  The end result will be a .csv (spreadsheet) file that outputs all the relevant information:

…special thanks to Mauricio O. for the following information!

Steps to Run


  1. Make sure you have installed the following prerequisites:
    1. Sign-In Assistant – Note: Even though the download states BETA, it is the proper SIA:
    2. Windows Azure Active Directory Module for Windows PowerShell:
      1. clip_image001
  2. Start –> Run: Notepad
    1. Copy the text below into NotePad
      1. Replace the <user> with the location you want to save the output .csv spreadsheet file!


    1. Connect-MsolService -Credential $UserCredential

      write-host “Getting a list of users with their assigned licenses. Can take a while”

      $withlicense=get-msoluser -all | where {$_.islicensed}

      write-host “Tenant contains “$withlicense.count” licensed users. Generating report in c:\users\<user>\desktop\report.csv”

      ”UPN,Product,Status” | out-file “c:\users\<user>\desktop\report.csv” -Append

      foreach ($usr in $withlicense) {


          $status | %{


              $licstatus | out-file “c:\users\<user>\desktop\report.csv” -Append



  3. Save-As and set the File Type to All and place a .ps1 file extension to the file name
  4. clip_image003
  5. Open PowerShell and run the command, such as: c:\users\<user>\Desktop> .\OnlineuserReport.ps1



  6. The output is all placed into a single column, so the best option here is to open the .csv file via Excel with File –> Open to review and massage the data!

  7. Launch Excel

  8. File –> Open and open the file

  9. Select Delimited à Next

  10. clip_image009

  1. Uncheck Tab and select Comma as the Delimiter –> Next

  2. clip_image011 

  3. Finish

  4. clip_image013 

  5. This will open the spreadsheet with the different data in different columns making it easier to read and review, filter, etc

  6. clip_image015


Legend of Column #3

  1. Pending Input = Needs attention from Admin to assign license
  2. Disabled = Disabled
  3. Success = Activated and enabled with Service, service listed in 2nd column

Managing the New Exchange Online OWA Document Collaboration Feature

Posted on


For those Office 365 Admins who are responsible for Outlook Web Access (OWA) and the new Document Collaboration feature, allowing Office 365 Web Apps to render the attached document and provide document editing and collaboration. While this is a great new addition, as Exchange previously would not allow or provide the ability to edit these attached documents, as the Exchange Information Store did not have that capability.  So now instead of having to save the attached document to a local PC, fileshare, SharePoint Online, etc and then edit the document, the attached documents can now have full editing capabilities, which is FANTASTIC!


So your next question might be “How do I manage this?  While I like this capability, my users may not be ready, I need to get everyone trained on this before rolling this out. How do I manage this?

special thanks to Bala K. for the following information

Steps to Manage Enablement/Disablement of OWA Document Editing

  1. Connect to Exchange Online via PowerShell
      1.  $LiveCred = Get-Credential
      2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic -AllowRedirection
      3. Import-PSSession $Session
    2. Once connected, you will manage this OWA Document Editing Capability by managing the OWAMailboxPolicy attribute for the Exchange Online tenant level for all users:
      1. Tenant
        1. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -WacViewingOnPublicComputersEnabled $False -WacViewingOnPrivateComputersEnabled $False

Note – When using this new feature notice that the attached document has three elipsys (dots) which give users the ability to select if they want to download, otherwise clicking the document will open the attached document into Editing View: