Administration

SharePoint Online & Sign-In Acceleration – SSO for SPO

Posted on

SPO

For those using SharePoint Online, you may have noticed that it does not provide the same home realm discovery that Exchange Online does, with Home Realm discovery meaning the services knows what domain/upn is being used and leveraging that authentication type for the user (Managed/Online versus Federated/ADFS).  SharePoint Online support now supports Sign-In Acceleration, which allows SPO to understand whether a browsing user is a Federated user and send to https://login.microsoftonline.com, with a directive that instructs login.microsoftonline.com to then forward the authentication request on to their ADFS deployed endpoint (i.e. https://sts.contoso.com).

Note – To enable this for your Office 365 tenant, please log a support case for this request and they can fulfill your request!

Explanation

Once auto-acceleration is enabled, the SPO authentication process works as follows:

  1. The user navigates to https://contoso.sharepoint.com in their web browser.
  2. SharePoint receives the request and detects that auto-acceleration is enabled for this tenant by leveraging the domain name in the domain.sharepoint.com URL being used to access SPO.
  3. The user is then sent to login.microsoftonline.com with extra information in the URL (a whr tag). This tag indicates to AAD that it is safe to accelerate the user directly to the ADFS endpoint, login.contoso.com.
  4. Once there, the user may enter their credentials and sign-in. In the case of domain-joined machines, the user will be signed in immediately based on browser settings for SSO.

This effectively allows SPO to provide home realm discovery and SSO for users, like Exchange Online does today and will make your SPO users much more happy, reducing the authentication prompts and requests for UPNs/Passwords.

Reconnecting Cloud Users with Old/Previous/Moved AD User Objects

Posted on Updated on

dirsync_thumb For those admins who have been around the Microsoft Cloud Services, such as BPOS and Office 365 2010, you may remember the issue where DirSync takes a user object, takes it’s objectGUID, double-base-64 encodes it and sends to the cloud as a sourceAnchor. This sourceAnchor is used to flag the user as being synchronized by DirSync and managed by an on-premises Active Directory.

For those admins who are or have moved from one Active Directory Forest to another, the objectGUID changes while the online user maintains this old objectGUID/sourceAnchor. SO, what do you do to reconnect the cloud user with the new AD user?  You leverage set-msolUser and set their -ImmutableID, which allows DirSync to hard-match (AD objectGUID == sourceAnchor) and take over management of this cloud object.  If the sourceAnchor does not exist in the cloud, then DirSync does a soft-match, based on SMTP address(es) and if there is a match, DirSync takes over management. BUT in this particular scenario the sourceAnchor overrides a soft-match approach, which is why the –ImmutableID option must be used.

Steps to Set -ImmutableID

Allowing DirSync, AAD Sync, AAD Connect to Take Over Management

  1. Move user to new forest
  2. Take their ObjectGUID, found in Active Directory Users and Computers –> Advanced View –> Attribute Editor tab in user object Properties location OR use ADSIEdit and use this site to convert the “objectGUID” to a “sourceAnchor”, which will then be set to -ImmutableID.
    1. http://guid-convert.appspot.com/
  3. Use the Get/Set-MSOLUser –ImmutableID command to the converted GUID, done in the step above. Reference to command variables: https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx
    1. Set-msoluser –Userprincipalname upn@company.com–ImmutableID “xxxxxxxxx”
  4. Launch DirSync/Sync/Connect and allow it hard match on the user in the cloud and now this Office 365 user is under DirSync/Sync/Connect control.

Reporting on Office 365 Online Users with Services and Licensing Status

Posted on

For those Online Administrators who need to account for Online Users and the Services they are assigned, along with enabled services, this email is for you!  The below is provided as-is and should be placed into a .ps1 PowerShell file, so you can run these commands against the Microsoft Online Services.  The end result will be a .csv (spreadsheet) file that outputs all the relevant information:

…special thanks to Mauricio O. for the following information!

Steps to Run

Notes:

  1. Make sure you have installed the following prerequisites:
    1. Sign-In Assistant – Note: Even though the download states BETA, it is the proper SIA: http://www.microsoft.com/en-us/download/details.aspx?id=39267
    2. Windows Azure Active Directory Module for Windows PowerShell: https://portal.office.com/default.aspx#@/IdentityFederation/IdentityFederation.aspx
      1. clip_image001
  2. Start –> Run: Notepad
    1. Copy the text below into NotePad
      1. Replace the <user> with the location you want to save the output .csv spreadsheet file!

     

    1. Connect-MsolService -Credential $UserCredential

      write-host “Getting a list of users with their assigned licenses. Can take a while”

      $withlicense=get-msoluser -all | where {$_.islicensed}

      write-host “Tenant contains “$withlicense.count” licensed users. Generating report in c:\users\<user>\desktop\report.csv”

      ”UPN,Product,Status” | out-file “c:\users\<user>\desktop\report.csv” -Append

      foreach ($usr in $withlicense) {

          $status=$usr.licenses.servicestatus

          $status | %{

              $licstatus=$usr.userprincipalname+”,”+$_.serviceplan.servicename+”,”+$_.provisioningstatus

              $licstatus | out-file “c:\users\<user>\desktop\report.csv” -Append

          }

      }

  3. Save-As and set the File Type to All and place a .ps1 file extension to the file name
  4. clip_image003
  5. Open PowerShell and run the command, such as: c:\users\<user>\Desktop> .\OnlineuserReport.ps1

     

    Notes

  6. The output is all placed into a single column, so the best option here is to open the .csv file via Excel with File –> Open to review and massage the data!

  7. Launch Excel

  8. File –> Open and open the file

  9. Select Delimited à Next

  10. clip_image009

  1. Uncheck Tab and select Comma as the Delimiter –> Next

  2. clip_image011 

  3. Finish

  4. clip_image013 

  5. This will open the spreadsheet with the different data in different columns making it easier to read and review, filter, etc

  6. clip_image015

 

Legend of Column #3

  1. Pending Input = Needs attention from Admin to assign license
  2. Disabled = Disabled
  3. Success = Activated and enabled with Service, service listed in 2nd column

Managing the New Exchange Online OWA Document Collaboration Feature

Posted on

exchange_online_banner_sm

For those Office 365 Admins who are responsible for Outlook Web Access (OWA) and the new Document Collaboration feature, allowing Office 365 Web Apps to render the attached document and provide document editing and collaboration. While this is a great new addition, as Exchange previously would not allow or provide the ability to edit these attached documents, as the Exchange Information Store did not have that capability.  So now instead of having to save the attached document to a local PC, fileshare, SharePoint Online, etc and then edit the document, the attached documents can now have full editing capabilities, which is FANTASTIC!

OWA_Doc_Collaboration

So your next question might be “How do I manage this?  While I like this capability, my users may not be ready, I need to get everyone trained on this before rolling this out. How do I manage this?

special thanks to Bala K. for the following information

Steps to Manage Enablement/Disablement of OWA Document Editing

  1. Connect to Exchange Online via PowerShell
    1. http://help.outlook.com/en-us/140/cc952755.aspx
      1.  $LiveCred = Get-Credential
      2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
      3. Import-PSSession $Session
    2. Once connected, you will manage this OWA Document Editing Capability by managing the OWAMailboxPolicy attribute for the Exchange Online tenant level for all users:
      1. Tenant
        1. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -WacViewingOnPublicComputersEnabled $False -WacViewingOnPrivateComputersEnabled $False

Note – When using this new feature notice that the attached document has three elipsys (dots) which give users the ability to select if they want to download, otherwise clicking the document will open the attached document into Editing View:

doc_edit_download

Exchange Online Protection (EOP) – SPAM, Blocklist, URL Community Participation

Posted on

exchange_online_banner

For those Exchange Online Admins who are interested in Protection, SPAM and other security related mail concepts, this posting is for you.

Exchange Online participates in Protection Communities, which handle tracking and sharing information to other Community Members:

  • Exchange Online participates in the following communities in regards to security:
    • IP Blocklist in concert with Spamhaus
    • URL Lists in concert with Spamhaus, SURBL, URIBL and Invaluement

Office 365 & Mobility Management – Enterprise Mobility Suite

Posted on Updated on

Screen Shot 2014-07-03 at 3.07.21 PM

For you Online Administrators who have a mobility management role and responsibility, then this posting is FOR YOU!  Learn more about how to manage your Bring Your Own Device (BYOD) strategy by managing business mobile devices via Microsoft Online Services.  The Enterprise Mobility Solution allows for iOS, Android and Windows Phones, and desktop(s), providing a complete solution for all your mobility needs and business needs.

Microsoft Enterprise Mobility Suite

Screen Shot 2014-07-03 at 3.04.37 PM

Exchange Online Load Balancing of Mailboxes – Considerations to Outlook Clients

Posted on

exchange_online_banner_sm

For Exchange Online Administrators who hear from their users that they “sometimes” get disconnected and reconnected quickly and wondering…what is going on…this posting is for you!

Background

Exchange Online is constantly reviewing Exchange Mailbox Servers, determining if the right load or amount of mailboxes are on the Exchange Server.  As you know, the Exchange Store, Database Availability Groups (DAG), etc all play a part in how many mailboxes should be located on a server.  EXO makes sure that no servers are NOT overburdened to make sure all users, using any mail application, are not impacted by slow or sluggish performance.

To this end, Office 365 Exchange Admins may notice from time to time, through an Exchange Hybrid Server or Exchange Online Remote PowerShell that EXO mailboxes are being moved, with a move designation as local. This signifies that the mailbox is being load balanced onto another backend mailbox server and don’t worry, this is an Online Move, which means the MBX is being copied/moved over to a new server to provide the best server resources available.  As a result of the Online Move, once complete the original MBX is removed, Active Directory and Exchange are updated to the new location of the mailbox and the Outlook user will reconnect to outlook.office365.com, which then connects to the new mailbox server and mailbox.

Outlook Users

For those users whose MBXs are being moved to provide the best possible server health and access, they may see Outlook show as Disconnected and then quickly show Connected, with each Outlook connection changing within seconds or less.  In order to minimize the impact to users, the best possible configuration for Outlook users is the following, which allows Outlook to send credentials when asked without being prompted.

  1. Internet Explorer
    1. Why IE?  IE leverages the OS’ WinInet, which is used by socket based applications and when EXO asks for credentials and you add the following to your IE Security Zone settings, Outlook is able to release those credentials without being prompted to manually enter them
      1. Internet Explorer –> Tools –> Internet Options –> Security –> Local Intranet –> Sites –> Advanced
        1. For Active Directory Federation Service (ADFS) SSO (Single Sign-On) users add:
          1. https://*.yourcompanyDomain.com
          2. https://*.microsoftonline.com
          3. https://outlook.office365.com
        2. For non ADFS users
          1. https://*.microsoftonline.com
          2. https://outlook.office365.com
  2. Outlook
    1. When connecting to Exchange Online via Outlook, make sure each user uses the Save or Remember Me authentication dialog box.  This saves the users credentials into the Windows Operating System’s Credential Manager (CredMan), so when/if their mailbox is moved and Outlook must reconnect to an Exchange Online CAFE Server (Client Access Front-End), EXO will ask “who are you” and CredMan will silently pass those credentials and allow the Outlook client to quickly reconnect!