Category Archives: Office 365

Office 365 - Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded "fancy URLs" that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com

Solution:

  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?..................  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Before
    Office 365 - Federated URL - Notepad

    After
    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=..... to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
      <title>CRM</title>
      <meta http-equiv="refresh" content="0; url=https://sts.mydomain.com link goes here" /></head>

      <body>

      </body>
      </html>
      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Yammer and Office 365 Enterprise

If you are on the enterprise plans of Office 365 (E4 for example), your users may be eligible to use Microsoft's enterprise social network called Yammer.  This article will cover a few questions I was curious about when rolling out Yammer as well as what to expect.

How do I tell if I am eligible?

  1. Login to the Office 365 admin portal (https://portal.microsoftonline.com)
  2. Click on included services on the dashboard
    Office 365 Portal - Included Services

How do I activate Yammer?

  1. If you are eligible for the Yammer service, click on the Yes, activate Yammer Enterprise for my network
    Office 365 Portal - Included Services
  2. Click on the Activate Yammer Enterprise button
    Office 365 - Activate Yammer Enterprise
  3. You will be redirected to a screen where you see a loading bar.  Grab a can of pop/coffee/tea/water and come back.
    Office 365 - Were activating Yammer Enterprise
  4. Click on the Create Yammer Account link once Yammer Enterprise has been provisioned.
    Office 365 - Yammer Enterprise is now ready
  5. Type in the same email address you use for your Office 365 Admin credentials
    Sign Up for Yammer
  6. If successful, you should see the screen below:
    Yammer - Thank you for signing up
  7. Check your email and click on the Complete Signup button
    Yammer Activation Email
  8. Type in your information and click the Next button
    Yammer - Welcome to the network
  9. Click Next on the who do you work with page, or spam your colleagues to sign up as well.
    Yammer - Who do you work with
  10. Join or create any groups you would like and then click Next
    Yammer - Join Relevant Groups
  11. Optionally, add a profile picture and click Save & Continue
    Yammer - Add your profile photo
  12. Click on the 3 dots in the top right corner and select Network AdminYammer - Network Admin
  13. Welcome to your Yammer Enterprise Admin portal!  Here you can manage all aspects of Yammer for your organization.
    Yammer - Network Admin - Dashboard
  14. Lastly, if you go back to your Office 365 Admin portal, you should see a link that will redirect you to the Yammer.com website.
    Office 365 - Admin - Yammer

FAQ

Does Yammer support single-sign on or ADFS?

Currently, Yammer does not support this integration at this time.

Will Yammer find users previously signed up with email addresses from @mydomain.com?

Yes

Does Microsoft have plans on continuing to integrate Yammer and Office 365?

Yes, Microsoft has announced they would like deeper integration with Office 365, more specifically with functionality in SharePoint.  Quarter 4 of this year (2013) was their deadline for the first integration, and we have seen they have started to deliver.  However, there are no specific dates yet of when users will be 100% synchronized between the two systems.

When I activate Yammer on Office 365 for my organization will it email all of my users to create profiles?

No, they will have to manually join or you will have to manually send them invites to create a separate Yammer account.

Office 365 - Sorry, but we're having trouble signing you in: error 80041034

Symptom: After changing the samAccountName (User Principal Name (UPN)) of a user in your on-premise Active Directory environment, run the DirSync tool to update the user on Office 365 (or wait 3 hours) [and have verified the user's new UPN synchronized in the Office 365 admin portal], the user is presented with the following error when trying to sign into Outlook, SharePoint, CRM, etc. on Office 365.

Sorry, but we're having trouble signing you in  Please try again in a few minutes.  If this doesn't work, you might want to contact your admin and report the following error: 80041034.

Office 365 - Error 80041034

 

Solution: This turns out to be an issue with ADFS (Active Directory Federated Services), caching user account attributes, which prevents a successful login.  Here are a couple of solutions to solve this issue:

  1. Try reupdating/repairing party trust with Office 365.
    1. Login to one of your ADFS servers.
    2. Click Start, All Programs, Windows Azure Active Directory, and then select Windows Azure Active Directory Module for Windows PowerShell.
    3. Execute the following command to connect to Microsoft's online services (when prompted, type in your Office 365 Administrator credentials)
      1. Connect-MSOLService
    4. Execute the following command to update federated trust
    5. Update-MSOLFederatedDomain –DomainName:<Federated Domain Name>
  2. Try temporarily disabling Local Security Authority (LSA) credential caching on your AD FS servers (note this can increase the load on your ADFS and AD DS servers)
    1. Login to each of your ADFS servers and complete the following steps
      1. Click Start -> Run -> regedit to open up the registry editor
      2. run - regedit
      3. Navigate to the following registry key
        1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
          HKEY_LOCAL_MACHINE-SYSTEM-CurrentControlSet-Control-Lsa
      4. Right click on Lsa, select New -> DWORD (32-bit) Value
        HKEY_LOCAL_MACHINE-SYSTEM-CurrentControlSet-Control-Lsa - new DWORD
      5. Enter LsaLookupCacheMaxSize as the value name and press Enter
        LsaLookupCacheMaxSize
      6. Right click on LsaLookupCacheMaxSize and select Modify
        Modify LsaLookupCacheMaxSize
      7. Ensure the value data is set to 0 and select OK
        LsaLookupCacheMaxSize - Edit DWORD
    2. Verify the user can successfully login.  Once they can, continue on to delete the key we created
    3. Right click on the LsaLookupCacheMaxSize value we created and select Delete
      Delete LsaLookupCacheMaxSize
  3. Reboot all ADFS and ADFS proxy servers in your environment

Microsoft has released an official KB article referencing this issue, you can find it here: http://support.microsoft.com/kb/2535191

AD RMS (Rights Management Services) for Office 365

Note: This guide is deprecated.  AD RMS is now supersceeded by Azure Information Protection.  If you have previously used this guide, review the following guide on Migrating from AD RMS to Azure Information Protection.

https://docs.microsoft.com/en-us/azure/information-protection/migrate-from-ad-rms-to-azure-rms


Those that have the following tiers of Office 365 are entitled to use Microsoft's AD Rights Management Service to help secure their documents:

  • SharePoint Online Enterprise (E1),
  • SharePoint Online Enterprise (E3 & E4),
  • SharePoint Online Midsized Business

Here is a list of compiled questions I wanted to know when trying AD RMS for Office 365.

What is AD Rights Management Services?

Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.
http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx

Are their any examples of using AD Rights Management Services?

Office 365 did a pretty good job covering the concept of using AD RMS as well as how to use AD RMS.  You can find the full tutorial here, however their official YouTube video covering this has been embedded below:

How do I deploy or enable AD Rights Management Services for Office 365?

  1. Login to your Office 365 Administration Portal
    1. https://portal.microsoftonline.com/
  2. Select service settings on the left side navigation
    Office 365 Admin Portal - Service Settings
  3. Select the rights management tab and click on the Manage link
    Office 365 Admin Portal - Service Settings - rights management
  4. The Manage link should redirect you over to activedirectory.windowsazure.com and present you a big activate button.  Click the activate button.
    Activate Office 365 RMS
  5. Click activate on the Do you want to activate Rights Management? prompt
    Do you want to activate Rights Management
  6. After clicking the activate button, you should now see Rights management is activated on the windowsazure.com page
    Rights management is activated

How do I create more policy templates for AD RMS using Office 365 or Windows Azure?

As pointed out in the following Office 365 forum article: http://community.office365.com/en-us/forums/148/t/177332.aspx

By default, in a pure Office 365 environment, we can get 3 RMS Templates in Windows Azure Rights Management. If we have an on-premises server running Active Directory Rights Management Services (AD RMS), we can get more via import a trusted publishing domain (TPD). So, without on premise server, we just can get default 3 Templates.

I enabled AD RMS for Office 365, but I don't see any options in Office 2010.  How do I get Office 2010 to use AD RMS?

Since you are more than likely on the E4 tier, I would highly recommend downloading Office 2013 from your Office 365 portal and installing that.  Office 2013 from the Office 365 portal comes preconfigured to work more fluidly with AD RMS.  However, if you need to use Office 2010, you can complete the following steps as documented on the following technet article: http://technet.microsoft.com/en-us/library/jj585031.aspx#sectionSection1

Can people outside my organization open protected documents with AD RMS (not apart of my domain)?

Short answer, Yes.  Long answer, they are required to create a Microsoft account using their email address (Gmail, AOL, Yahoo, etc) to authenticate themselves.  Below are some screenshots of the registration process; I have copied them from the following technet article for archival purposes: http://blogs.technet.com/b/rms/archive/2013/08/29/the-new-microsoft-rms-is-live-in-preview.aspx

RMS Login

 

RMS Login 2

RMS Login 3

How can an Office 365 customer purchase Microsoft Rights Management Services (RMS)?

Active Directory RMS is already included in the Office 365 Enterprise E3, and E4 plans and the Education A3 and A4 plans. RMS is also available as an add-on in the E1 and A2 plans. Consumption of rights-protected content is free. A license is required to protect content.

Where did FOPE go in the Office 365 Admin Portal?

Today a coworker logged into one of our Office 365 Admin Portals and noticed that the Forefront Online Protection for Exchange (FOPE) link was removed to manage mail flow rules.  After searching the entire admin panel, turns out Microsoft removed access to FOPE and has instead integrated a new "mail flow" area to manage the Exchange rules.  While this is all good and fine, would have been nice to get an email saying the changes to the portal were going to be done.

Any who, here is where you can now begin to create/edit/delete your mailflow rules (note, all previous rules were automatically migrated from Forefront Online Protection for Exchange (FOPE) to what is now called Exchange Online Protection (EOP).

  1. Login to Office 365 Admin Portal
  2. Click on Admin -> Exchange
    Office 365 Admin Portal - Exchange Link
  3. Select the mail flow link on the left
    Exchange admin center - mail flow
  4. On the rules tab, you can now manage all of the mail rules as you would have done in FOPE.
    1. In the picture below, you can see some of the rules that were automatically moved from FOPE over to Microsoft's new system (Migrated FOPE Policy Rule ID: xxxxxx).
      Exchange admin center - mail flow - rules

 

Notes: It looks like Microsoft has released one official knowledge base article regarding this, which can be found here: http://technet.microsoft.com/en-us/library/dn308542%28v=exchg.150%29.aspx

[Office 365] - Forwarding email from one mailbox to another with ADFS turned on

Synopsis: Employee leaves on personal matters for a month and their department lead requests for mail to be forwarded to their manager.  Typically, mail forwarding would be setup inside of the Exchange console, however, in this case, Exchange is managed by Office 365 (not a hybrid exchange deployment) and the users are being federated to Office 365 via ADFS.  When trying to enable mail forwarding, as outlined in the this help document by the Office 365 team http://community.office365.com/en-us/wikis/exchange/how-to-forward-email-in-office-365.aspx, I would receive an error message.

Symptom: When enabling mail forwarding for the user inside of the Office 365 Exchange portal, I received the following error message:

The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'Firstname Lastname' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Solution:

Personally, I think this is a bug in Office 365, but they say it is because we are on premise (if all of exchange is managed by them, how can they not enable mail forwarding?).  Any who, the work around is to manage the user's mailbox and set forwarding up as if they would.  See the steps below to achieve the same result:

  1. Login to your Office 365 admin portal.
  2. Click on the Admin dropdown and select Exchange
    Exchange
  3. Once in the Exchange portal, click on your username and select Another user...
    Exchange - Another User
  4. Type in the mailbox you want to edit and click ok
    Select Mailbox
  5. On the "Managing on behalf of" screen, select Forward your email
    Exchange - Forward Your Email
  6. Scroll down to forwarding and type in the email address of the user you want all emails to go to and click start forwarding.  You can optionally select if you want to leave a copy for the user's mailbox or have them silently forwarded.
    Exchange - Start Forwarding
  7. That's it! 🙂

Deploying Office 2013 Professional Plus from Office365 Offline

As you have probably found out, Microsoft no longer provides a traditional installer for Microsoft Office 2013.  Additionally, you also probably know that the installer they do provide sucks down the installation files on each PC via the internet, which takes forever to deploy and install Office in an enterprise environment.  That being said, here is the solution on how to deploy Office 2013 in an Enterprise environment! 🙂

  1. Download the Office Deployment Tool for Click-to-Run
    1. http://www.microsoft.com/en-us/download/details.aspx?id=36778
  2. Once downloaded, run officedeploymenttool.exe
    1. Accept the EULA
      Click-to-run EULA
    2. Select a folder for it to extract the setup.exe file to
      Office365 Folder
  3. Navigate to the folder you made is step 2.2 via Windows Explorer and edit the configuration.xml file with your favorite text editor (notepad, notepad++, etc.)
  4. Remove any text inside the configuration.xml file and use the following code:
    1. <Configuration>
      <Add OfficeClientEdition="32" >
      <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
      </Product>
      </Add>
      <Updates Enabled="TRUE" UpdatePath="" />
      <Display Level="None" AcceptEULA="TRUE" />
      <Logging Name="OfficeSetup.txt" Path="%temp%" />
      </Configuration>

      1. Note: I used the 32-bit client installer instead of the 64-bit build.  The reasoning behind this is Microsoft advises to stay on the 32-bit build to ensure compatibility to browser plugins that have not been written for the 64-bit office build.
    2. What this code will do is deploy a 64-bit version of Office 365 Professional Plus, automatically accept the EULA when prompted, and log installation progress to a text file called OfficeSetup.txt to your temporary files folder.
      1. NOTE: If you want to download the 32-bit version of Office 365 Professional Plus, simply change the OfficeClientEdition="64" attribute above to OfficeClientEdition="32"
    3. Save configuration.xml and minimize your text editor, we will come back to this file later.
  5. Next, open up a command prompt and navigate to the folder you made in step 2.2
  6. Now, we will download the necessary files from Microsoft used to deploy Office internally on our network.  To do so, execute the following command:
    1. setup.exe /DOWNLOADOffice365 Download Offline Files
  7. You should now see a folder called "Office" once the files have successfully completed.Office365 Offline Files
  8. Create a network share where these files can be grabbed from during an installation.  Once done, open up your text editor with the configuration.xml file.
  9. Add the following attribute to your <Add OfficeClientEdition="64"> line:
    1. SourcePath="\\server\share\Office"
    2. So the entire line should look something like <Add OfficeClientEdition="32" SourcePath="\\server\share\Office">
  10. Now make a new file called deploy.bat inside of your folder we created in step 2.2
  11. Paste the following code into that file:
    1. @echo off
      pushd %~dp0
      echo /******************************************
      echo /* Installing Office 365
      echo /******************************************
      setup.exe /CONFIGURE configuration.xml
      pause
  12. Once the command has executed, Office 365 Professional Plus should automatically be deployed on the machine!  The last step is for the user to login to their profile and activate Office 365 using their Office365 credentials.

Hope this helps! If anyone finds a better solution, please let me know and I can update the guide 🙂

Notes:

Here is a link to what Product IDs are supported for deployment: http://support.microsoft.com/kb/2842297

[Office 365] Access to the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence" is denied

If you receive the error when configuring the Microsoft Directory Synchronization Tool to communicate with Office 365:
"Access to the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence' is denied"

Make you you right click and run the tool as an administrator 🙂

Microsoft Online Service Directory Synchronization Configuration Wizard in the Configuration step. The error