Tag Archives: Office 365

[Tutorial] Upgrading from ADFS 2.0 (Server 2008 R2) to ADFS 3 (Server 2012 R2)

Scenario: You want to upgrade your ADFS 2.0 or 2.1 farm using WID (Windows Internal Database) from Server 2008 R2 to Server 2012 R2.  In this scenario, I have 2 ADFS servers (one as the primary and a second for failover purposes), and 2 ADFS Proxy servers (for load balancing/failover purposes).

NOTE: Prior to writing this article I had only found limited documentation provided by Microsoft on a proper upgrade path for this.  Since then, it apperas that tools had been included with the Server 2012 installation media which will greatly cutdown on the number of steps needed as well as provide as little downtime as possible.  I would highly recommend giving this article a read before proceeding with my article: http://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx

My article should still work, but it is definitely not the most efficient way to do an upgrade as pointed out in the technet article above.  My guide essentially goes over cutting over to a completely new ADFS deployment "an upgrade", side-by-side to your production environment. As pointed out below, you cannot add a Server 2012 R2 machine to a Server 2008 R2 ADFS farm as documented in their earlier help articles.

Tutorial

  1. Login to one of your slave ADFS nodes (secondary server) running Server 2008 R2
  2. Remove the node from your load balancer
  3. Stop the AD FS 2.0 Windows Service
  4. Click Start -> Administrative Tools -> Internet Information Services (IIS) Manager Server 2008 R2 - Start - Administrative Tools - Internet Information Services IIS Manager
  5. Select your server and double click on Server Certificates Internet Information Services IIS Manager - Server Home
  6. Right click on your certificate and select Export... Internet Information Services IIS Manager - Export Certificate
  7. Export the certificate to your desktop, type in a password to protect the exported certificate/private key, and select OK
    Export Certificate Properties
  8. Copy the pfx (exported certificate/private key) to your local machine; we will import this on our new server later.
  9. Disjoin the ADFS machine from the domain
  10. Turn the ADFS machine off and retire it
  11. Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS machine
  12. While the new ADFS machine is being created, login to one of your ADFS proxy servers
  13. Remove the proxy from your load balancer
  14. Stop the AD FS 2.0 Windows Service
  15. Turn the machine off and retire it
  16. Create a new Server 2012 R2 machine with the same name and IP as your Server 2008 R2 ADFS Proxy machine
  17. While the new ADFS proxy machine is being created, login to your new ADFS Server 2012 R2 machine.
  18. Open up Server Manage and select Manage -> Add Roles and Features Server 2012 - Manage - Add Roles and Features
  19. On the Before You Begin screen, click Next > Add Roles and Features Wizard - Before you begin
  20. Select Role-based or feature-based installation and click Next > Add Roles and Features Wizard - Select installation type
  21. Select your server and click Next > Add Roles and Features Wizard - Select destination server
  22. Check Active Directory Federation Services and click Next > Add Roles and Features Wizard - Server Roles - Active Directory Federation Services
  23. Click Next > on Features Add Roles and Features Wizard - Features - Default
  24. Click Next > on AD FS Add Roles and Features Wizard - AD FS
  25. Click Install Add Roles and Features Wizard - Confirmation - Active Directory Federation Services
  26. Click on the Configure the federation service on this server. link once the installation has completed successfully. Add Roles and Features Wizard - Results - Configure the federation service on this server
  27. Check Create the first federation server in a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard and then click Next > Active Directory Federation Services Configuration Wizard - Welcome
    1. Please see my notes below on why we did not check Create the first federation server in a federation server farm.
  28. Click Next > on the Connect to AD DS step
    Active-Directory-Federation-Services-Configuration-Wizard-Connect-to-AD-DS
  29. Copy the .pfx file we exported from the ADFS server earlier to the new ADFS server
  30. On the Specify Service Properties screen, click on the Import... button Active Directory Federation Services Configuration Wizard - Specify Service Properties - Import
  31. Select your certificate and click Open Select Certificate
  32. Type in the password to the exported certificate and click OK Enter certificate password
  33. Type in a Federation Service Display Name that will be shown to your users when they login to the ADFS service (this can be anything), and click Next > Active Directory Federation Services Configuration Wizard - Specify Service Properties - Federation Service Display Name
  34. On the Specify Service Account screen, click the Select... button Active Directory Federation Services Configuration Wizard - Specify Service Properties - Use an existing domain user account or group Management Service Account
  35. Type in the name of your service account you wish to use for ADFS, click the Check Names button to verify you don't have any typos, and click OK Active Directory Federation Services Configuration Wizard - Specify Service Properties - Select User or Service Account
  36. Type in the password for the ADFS service account and click Next > Active Directory Federation Services Configuration Wizard - Specify Service Properties - Use an existing domain user account or group Management Service Account - Username password
  37. Click Next > on the Specify Configuration Database Active Directory Federation Services Configuration Wizard - Specify Database - Create a database on this server using Windows Internal Database
    1. Note: I choose to continue to use WID, you can switch to SQL if you would like now, however that is outside of the scope of this document.
  38. Click Next > on the Review Options screen Active Directory Federation Services Configuration Wizard - Review Options
  39. Click the Configure button once all the prerequsite checks have passed successfully Active Directory Federation Services Configuration Wizard - Pre-requisite Checks
  40. Click Close once the server has successfully been configured Active Directory Federation Services Configuration Wizard - Results
  41. Open up Internet Explorer on the new ADFS machine and navigate to https://localhost/adfs/ls/IdpInitiatedSignon.aspx to ensure the service is properly running AD FS 3 Test
    1. Note: you should receive an invalid ssl certificate error; that is OK, we will switch the DNS records over once we are ready to transition from our old farm to the new one.
  42. Next, login to your Server 2008 R2 primary ADFS server and recreate the federation trusts on the new Server 2012 R2 primary ADFS server
    1. Start -> Administrative Tools -> AD FS 2.0 Management; select Trust Relationships -> Relying Party Trusts
    2. Recreate all the rules/trusts from your original ADFS server on your new Server 2012 R2 ADFS machine
      1. Note: If you are recreating rules for Office 365, you will need to wait until you switch over our new Server 2012 R2 environment to production.  The reason is when you setup the new ADFS instance, some of the certificates will change causing a certificate mismatch/preventing your users from logging in.  You will need to make sure you follow the following steps when resetting up the Office 365 trust to ensure your users don't receive "Error 80041317": http://support.microsoft.com/kb/2647020/en-us
  43. Login to your new ADFS Proxy server
  44. Import your SSL cerficate from your old ADFS server (from step 8) onto the server's Local Machine certificate store
    1. Right click on Start and select Run
      Server 2012 - Start - Run
    2. Type MMC and click OK
      Server 2012 - Run - mmc
    3. Click File -> Add/Remove Snap-in...
      Server 2012 - mmc - Add Remove Snap-In
    4. Select Certificates and click Add > Add or Remote Snap-ins - Certificates
    5. Select Computer account and click Next > Certificates snap-in - Computer Account
    6. Select Finish Certificates snap-in - Select Computer
    7. Click OK on the Add or Remove Snap-ins screen Add or Remove Snap-ins - Certificates - Local Computer
    8. Expand Certificates (Local Computer), select Personal, and right click, select All Tasks -> Import... Server 2012 - Certificates (Local Computer) - Personal - Import
    9. Click Next on the Certificate Import Wizard Certificate Import Wizard - Welcome
    10. Click the Browse... button Certificate Import Wizard - Browse
    11. Select your certificate and click Open Select Certificate
      1. Note: You may need to click on the dropdown box in the bottom right and select All Files for your pfx file to show up.
    12. Click Next on the File to Import screen Certificate Import Wizard - File to Import
    13. Type in the password to the pfx file, check Mark this key as exportable, and click Next Certificate Import Wizard - Private key protection
    14. Ensure Place all certificates in the following store shows Personal and click Next Certificate Import Wizard - Certificate Store
    15. Click Finish Certificate Import Wizard - Completing the Certificate Import Wizard
    16. Click OK on the Certificate Import Wizard successful dialog boxCertificate Import Wizard - Successful
  45. Edit the hosts file to point your DNS record to your new ADFS server
    1. Open Notepad as an Administrator Server 2012 - Notepad - Administrator
    2. Open the following file: C:\Windows\System32\drivers\etc\hosts Server 2012 - Hosts file
    3. Add in your DNS entry and point to your new ADFS server hosts file - adfs manual entry
    4. Save the file
      1. Note: We will come back to this later and update it to point to our load balancer once we switch over everything.  For now, this lets us test our new deployment while switching things over.
  46. Open up Server Manager
    Server 2012 R2 - Server Manager
  47. Click Manage -> Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  48. Click Next > on the Before you begin screen Add Roles and Features Wizard - Before you begin
  49. Select Role-based or feature based installation and click Next > Add Roles and Features Wizard - Select installation type
  50. Select your server and click Next > Add Roles and Features Wizard - Select destination server
  51. Check Remote Access on the Server Roles screen Add Roles and Features Wizard - Remote Access
  52. Click Next > on the Features screen Add Roles and Features Wizard - Features - Default
  53. Click Next > on the Remote Access screen
  54. Check Web Application Proxy
  55. ClickAdd Features on the Add Roles and Features Wizard dialog boxAdd Roles and Features Wizard - Web Application Proxy
  56. Click Next > on the Roles Services screen Add Roles and Features Wizard - Role Services - Web Application Proxy
  57. Click Install on the Confirmation screen Add Roles and Features Wizard - Confirmation - Web Application Proxy
  58. Click on the Open the Web Application Proxy Wizard link once the installation succeeds Add Roles and Features Wizard - Confirmation - Web Application Proxy - Open the Web Application Proxy Wizard
  59. Click Next > on the Welcome screen Web Application Proxy Configuration Wizard - Welcome
  60. Type in the FQDN to your ADFS server, the credentials of an account with local admin privileges, and then click Next >Web-Application-Proxy-Configuration-Wizard-Federation-Server
  61. Select your certificate on the AD FS Proxy Certificate screen and click Next >
    Web-Application-Proxy-Configuration-Wizard-AD-FS-Proxy-Certificate
  62. Click Configure on the Confirmation screen Web Application Proxy Configuration Wizard - Confirmation
  63. Click Close once the Web Application Proxy has been successfully configured.Web-Application-Proxy-Configuration-Wizard-Results
  64. After you click close a new window should open.  On the Remote Access Management Console, select Publish
    1. Note: This step only needs to be done once.  It will replicate to all other proxy servers when you set those up at a later time.
      Remote Access Management Console - Publish
  65. Click Next > on the Welcome screen
    Publish New Application Wizard - Welcome
  66. Select Pass-through and click Next >
    Publish New Application Wizard - Preauthentication
  67. Enter in a name, external URL, and internal URL for your federated server (mine were both the same since I use split-dns).  Click Next >
    Publish New Application Wizard - Publishing Settings
  68. Click Close
    Publish New Application Wizard - Results
  69. Add the new Server 2012 R2 ADFS machine to your load balancer and remove your Server 2008 R2 machine.
  70. Add the new Server 2012 R2 ADFS Proxy machine to your load balancer and remove your Server 2008 R2 proxy machine.
  71. Update the hosts file on your Server 2012 R2 proxy machine to point to your load balanced Server 2012 R2 ADFS environment
  72. Retire your Server 2008 R2 ADFS environment
    1. Disjoin the ADFS proxy server from the domain and recycle the machine
    2. Open up PowerShell as an Administrator
      Elevated Powershell
    3. Execute the following commands:
      1. Add-PsSnapin Microsoft.Adfs.Powershell
        Get-AdfsProperties
        get-adfsproperties certificatesharingcontainer
    4. Stop the service on your Server 2008 R2 ADFS machine running the old ADFS farm
    5. Execute the following command to remove the ADFS Farm info from AD (substituting in the information from the Get-AdfsProperties command):
      1. $delme = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=484e24a8-5726-4186-8e24-825b77920798,CN=ADFS,CN=Microsoft,CN=Program Data,DC=mydomain,DC=local")
        $delme.DeleteTree()
        PowerShell DeleteTree
    6. Disjoin the ADFS machine from the domain and recycle the machine
  73. Add a new Server 2012 R2 machine and WAP machine to your new ADFS environment for redudnancy (same steps as above, except in Step 27, you will select Add a federation server to federation server farm

Notes: Here is the upgrade compatibility matrix for upgrading ADFS from a specific version to Server 2012: http://technet.microsoft.com/en-us/library/jj647765.aspx

Why did I not check Add a federation server to a federation server farm on the Welcome screen for the Active Directory Federation Services Configuration Wizard?

The reason behind not checking this is I believe Microsoft has a bug in their discovery tool in adding another machine to a farm running ADFS 3.0.  When adding a Server 2012 R2 machine to a farm with only Server 2008 R2 machines running ADFS 2.0, you will receive the following error:

The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Unable to retrieve configuration from the primary server. The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later. Prerequisites Check Completed One or more prerequisites failed.  Please fix these issues and click "Rerun prerequisites check" The primary federation server was contacted successfully, but the configuration data was not valid. Ensure that the primary federation server is running Windows Server 2012 R2 or later

Symptom: You receive the following error while setting up the WAP (proxy) server:

An error occurred when attempting to establish a trust relationship with the federation service. Error: Not Found An error occurred when attempting to establish a trust relationship with the federation service Error Not Found

Resolution: Make sure you update the DNS records of your ADFS deployment to point to your new ADFS server.  Both the ADFS proxy and ADFS server must be running the same OS version (in this case, Server 2012 R2).

Office 365 - Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded "fancy URLs" that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com

Solution:

  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?..................  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Before
    Office 365 - Federated URL - Notepad

    After
    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=..... to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
      <title>CRM</title>
      <meta http-equiv="refresh" content="0; url=https://sts.mydomain.com link goes here" /></head>

      <body>

      </body>
      </html>
      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.

NOTES:

Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Yammer and Office 365 Enterprise

If you are on the enterprise plans of Office 365 (E4 for example), your users may be eligible to use Microsoft's enterprise social network called Yammer.  This article will cover a few questions I was curious about when rolling out Yammer as well as what to expect.

How do I tell if I am eligible?

  1. Login to the Office 365 admin portal (https://portal.microsoftonline.com)
  2. Click on included services on the dashboard
    Office 365 Portal - Included Services

How do I activate Yammer?

  1. If you are eligible for the Yammer service, click on the Yes, activate Yammer Enterprise for my network
    Office 365 Portal - Included Services
  2. Click on the Activate Yammer Enterprise button
    Office 365 - Activate Yammer Enterprise
  3. You will be redirected to a screen where you see a loading bar.  Grab a can of pop/coffee/tea/water and come back.
    Office 365 - Were activating Yammer Enterprise
  4. Click on the Create Yammer Account link once Yammer Enterprise has been provisioned.
    Office 365 - Yammer Enterprise is now ready
  5. Type in the same email address you use for your Office 365 Admin credentials
    Sign Up for Yammer
  6. If successful, you should see the screen below:
    Yammer - Thank you for signing up
  7. Check your email and click on the Complete Signup button
    Yammer Activation Email
  8. Type in your information and click the Next button
    Yammer - Welcome to the network
  9. Click Next on the who do you work with page, or spam your colleagues to sign up as well.
    Yammer - Who do you work with
  10. Join or create any groups you would like and then click Next
    Yammer - Join Relevant Groups
  11. Optionally, add a profile picture and click Save & Continue
    Yammer - Add your profile photo
  12. Click on the 3 dots in the top right corner and select Network AdminYammer - Network Admin
  13. Welcome to your Yammer Enterprise Admin portal!  Here you can manage all aspects of Yammer for your organization.
    Yammer - Network Admin - Dashboard
  14. Lastly, if you go back to your Office 365 Admin portal, you should see a link that will redirect you to the Yammer.com website.
    Office 365 - Admin - Yammer

FAQ

Does Yammer support single-sign on or ADFS?

Currently, Yammer does not support this integration at this time.

Will Yammer find users previously signed up with email addresses from @mydomain.com?

Yes

Does Microsoft have plans on continuing to integrate Yammer and Office 365?

Yes, Microsoft has announced they would like deeper integration with Office 365, more specifically with functionality in SharePoint.  Quarter 4 of this year (2013) was their deadline for the first integration, and we have seen they have started to deliver.  However, there are no specific dates yet of when users will be 100% synchronized between the two systems.

When I activate Yammer on Office 365 for my organization will it email all of my users to create profiles?

No, they will have to manually join or you will have to manually send them invites to create a separate Yammer account.

AD RMS (Rights Management Services) for Office 365

Note: This guide is deprecated.  AD RMS is now supersceeded by Azure Information Protection.  If you have previously used this guide, review the following guide on Migrating from AD RMS to Azure Information Protection.

https://docs.microsoft.com/en-us/azure/information-protection/migrate-from-ad-rms-to-azure-rms


Those that have the following tiers of Office 365 are entitled to use Microsoft's AD Rights Management Service to help secure their documents:

  • SharePoint Online Enterprise (E1),
  • SharePoint Online Enterprise (E3 & E4),
  • SharePoint Online Midsized Business

Here is a list of compiled questions I wanted to know when trying AD RMS for Office 365.

What is AD Rights Management Services?

Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.
http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx

Are their any examples of using AD Rights Management Services?

Office 365 did a pretty good job covering the concept of using AD RMS as well as how to use AD RMS.  You can find the full tutorial here, however their official YouTube video covering this has been embedded below:

How do I deploy or enable AD Rights Management Services for Office 365?

  1. Login to your Office 365 Administration Portal
    1. https://portal.microsoftonline.com/
  2. Select service settings on the left side navigation
    Office 365 Admin Portal - Service Settings
  3. Select the rights management tab and click on the Manage link
    Office 365 Admin Portal - Service Settings - rights management
  4. The Manage link should redirect you over to activedirectory.windowsazure.com and present you a big activate button.  Click the activate button.
    Activate Office 365 RMS
  5. Click activate on the Do you want to activate Rights Management? prompt
    Do you want to activate Rights Management
  6. After clicking the activate button, you should now see Rights management is activated on the windowsazure.com page
    Rights management is activated

How do I create more policy templates for AD RMS using Office 365 or Windows Azure?

As pointed out in the following Office 365 forum article: http://community.office365.com/en-us/forums/148/t/177332.aspx

By default, in a pure Office 365 environment, we can get 3 RMS Templates in Windows Azure Rights Management. If we have an on-premises server running Active Directory Rights Management Services (AD RMS), we can get more via import a trusted publishing domain (TPD). So, without on premise server, we just can get default 3 Templates.

I enabled AD RMS for Office 365, but I don't see any options in Office 2010.  How do I get Office 2010 to use AD RMS?

Since you are more than likely on the E4 tier, I would highly recommend downloading Office 2013 from your Office 365 portal and installing that.  Office 2013 from the Office 365 portal comes preconfigured to work more fluidly with AD RMS.  However, if you need to use Office 2010, you can complete the following steps as documented on the following technet article: http://technet.microsoft.com/en-us/library/jj585031.aspx#sectionSection1

Can people outside my organization open protected documents with AD RMS (not apart of my domain)?

Short answer, Yes.  Long answer, they are required to create a Microsoft account using their email address (Gmail, AOL, Yahoo, etc) to authenticate themselves.  Below are some screenshots of the registration process; I have copied them from the following technet article for archival purposes: http://blogs.technet.com/b/rms/archive/2013/08/29/the-new-microsoft-rms-is-live-in-preview.aspx

RMS Login

 

RMS Login 2

RMS Login 3

How can an Office 365 customer purchase Microsoft Rights Management Services (RMS)?

Active Directory RMS is already included in the Office 365 Enterprise E3, and E4 plans and the Education A3 and A4 plans. RMS is also available as an add-on in the E1 and A2 plans. Consumption of rights-protected content is free. A license is required to protect content.

Where did FOPE go in the Office 365 Admin Portal?

Today a coworker logged into one of our Office 365 Admin Portals and noticed that the Forefront Online Protection for Exchange (FOPE) link was removed to manage mail flow rules.  After searching the entire admin panel, turns out Microsoft removed access to FOPE and has instead integrated a new "mail flow" area to manage the Exchange rules.  While this is all good and fine, would have been nice to get an email saying the changes to the portal were going to be done.

Any who, here is where you can now begin to create/edit/delete your mailflow rules (note, all previous rules were automatically migrated from Forefront Online Protection for Exchange (FOPE) to what is now called Exchange Online Protection (EOP).

  1. Login to Office 365 Admin Portal
  2. Click on Admin -> Exchange
    Office 365 Admin Portal - Exchange Link
  3. Select the mail flow link on the left
    Exchange admin center - mail flow
  4. On the rules tab, you can now manage all of the mail rules as you would have done in FOPE.
    1. In the picture below, you can see some of the rules that were automatically moved from FOPE over to Microsoft's new system (Migrated FOPE Policy Rule ID: xxxxxx).
      Exchange admin center - mail flow - rules

 

Notes: It looks like Microsoft has released one official knowledge base article regarding this, which can be found here: http://technet.microsoft.com/en-us/library/dn308542%28v=exchg.150%29.aspx

[Office 365] - Forwarding email from one mailbox to another with ADFS turned on

Synopsis: Employee leaves on personal matters for a month and their department lead requests for mail to be forwarded to their manager.  Typically, mail forwarding would be setup inside of the Exchange console, however, in this case, Exchange is managed by Office 365 (not a hybrid exchange deployment) and the users are being federated to Office 365 via ADFS.  When trying to enable mail forwarding, as outlined in the this help document by the Office 365 team http://community.office365.com/en-us/wikis/exchange/how-to-forward-email-in-office-365.aspx, I would receive an error message.

Symptom: When enabling mail forwarding for the user inside of the Office 365 Exchange portal, I received the following error message:

The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'Firstname Lastname' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Solution:

Personally, I think this is a bug in Office 365, but they say it is because we are on premise (if all of exchange is managed by them, how can they not enable mail forwarding?).  Any who, the work around is to manage the user's mailbox and set forwarding up as if they would.  See the steps below to achieve the same result:

  1. Login to your Office 365 admin portal.
  2. Click on the Admin dropdown and select Exchange
    Exchange
  3. Once in the Exchange portal, click on your username and select Another user...
    Exchange - Another User
  4. Type in the mailbox you want to edit and click ok
    Select Mailbox
  5. On the "Managing on behalf of" screen, select Forward your email
    Exchange - Forward Your Email
  6. Scroll down to forwarding and type in the email address of the user you want all emails to go to and click start forwarding.  You can optionally select if you want to leave a copy for the user's mailbox or have them silently forwarded.
    Exchange - Start Forwarding
  7. That's it! 🙂

Lync On-Premise with Office 365 Federation - error ID 403

When communicating to hosted companies in Office 365 from an On-Premise Lync environment, I had begun seeing the following symptoms:

  1. Presence defaulted to Unknown for federated contacts:
    Lync Presence unknown
  2. When joining someone's meeting or sending them an IM, I would see the following:
    "When contacting your support team, reference error ID 403 (source ID 239)."
    Lync Meeting Error ID 403 (Source ID 239)
  3. Inside of event viewer, I saw:
    403 Forbidden
    ms-diagnostics-public: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="othercompanydomainon.com";PeerServer="sipfed.online.lync.com"
    Lync Office 365 Federation Error

Solution:

Interestingly enough, even though you have an On-Premise Lync environment, it appears that Office 365 will tie back to your account for some settings.  In my case, I had not enabled federation to other PIC providers on Office 365.

To resolve the issue, please follow the steps below:

  1. Login to the Office 365 Admin Portal
  2. Click on Manage Lync
    Manage Lync - Office 365
  3. Click on the External communications tab and ensure the following settings:
    1. Domain federation mode: Turned on for all domains except blocked domains (you can switch to the other mode, just keep in mind you will have to whitelist every domain you are enabling communication with)
    2. Public IM connectivity mode: Enabled
    3. Lync - Office 365 - External communications
  4. Next, head over to the Lync Online Control Panel for your on-premise Lync deployment.
  5. Select the Federation nand External Access tab and then select SIP Federated Providers
  6. Ensure you have created a rule for the provider LyncOnline that is federated to sipfed.online.lync.com
    Lync - SIP Federated Providers

    1. To create the provider via the Lync Server 2013 Control Panel
      1. Select New... and then click Hosted Provider
        1. Enable communications with this provider: Checked
        2. Provider Name: LyncOnline
        3. Access Edge Service (FQDN): sipfed.online.lync.com
        4. Click Commit
    2. To create the provider via PowerShell, execute the following command:
      1. New-CSHostingProvider -identity LyncOnline -ProxyFqdn sipfed.online.lync.com -Enabled $True

Wait a few minutes for the changes to take effect, exit out of your Lync client on your workstation, reopen and you should now be able to communicate to your federated partner.

Attempts to route to servers in an Exchange UM Dialplan failed - Lync 2010-2013

Symptom: When trying to check your voicemail from Lync, you notice that you call gets dropped/disconnected.  Inside of the front end server, you notice the following error log:

Attempts to route to servers in an Exchange UM Dialplan failed

No server in the dialplan [Hosted__exap.um.outlook.com__mydomain.onmicrosoft.com] accepted the call with id [c347a4ecc6e74651a2bdce6c43552e53].

Cause: Dialplan is not configured properly.

Resolution:

Check the configuration of the dialplan on Exchange UM Servers.

ExUM Error

Solution: Unfortunately, this seems to be caused by a couple of different things, so I would give all of the following below a shot.

First, make sure you have created a Unified Messaging plan in your Office 365 Exchange Control Panel:

  1. Login to https://portal.microsoftonline.com/
  2. Click the Manage link next to Exchange on the dashboard
    1. Exchange Manage
  3. Click the Phone & Voice tab
    1. Phone & Voice
  4. Ensure you have a UM Dial Plan with the number you used in the New-CsExUmContact powershell command you ran earlier.  Your settings might differ on the screenshot below, but just make sure you have SIP URI selected.
    1. New UM Dial Plan
  5. Select your policy from the UM Dial Plans list and click the Configure UM Dial Plan button as shown below:
    1. UM Dial Plan Configuration
  6. Make sure you configure the number you want your users to dial to access their voicemail in the E.164 routing numbers for your SIP server and Numbers for users to access voice mail boxes.
    1. Configure Voicemail Plan

 

If your running Lync 2010/2013 at the same time, check out this option in topology builder to make sure you have enabled federation:

  1. Open up the Lync Server Topology Builder
  2. Download the latest topology
  3. Right click on the first site (the node under Lync Server) and then click Edit Properties...
  4. Scroll down to Site federation route assignment and make sure Apply federation route assignments to all sites is checked.
  5. Make sure Enable sip federation is checked as well and then click OK
  6. Click on Action->Topology->Publish...

If the above doesn't work, try running the following powershell commands on your front-end server.

  1. Modify the global hostedvoicemailpolicy (make sure to use your onmicrosoft domain name, not your FQDN you would use normally):
    1. Set-CsHostedVoicemailPolicy -global -Destination exap.um.outlook.com -Organization domain.onmicrosoft.com
  2. Create Lync contact for Hosted UM (make sure to set the number as the same one in the Office 365 Unified Messaging area. The last value below can be changed to put the UM contact that will be generated in AD, in any OU of your choosing; I just picked the default users one for simplicity.
    1. New-CsExUmContact -DisplayNumber +15555555555 -SipAddress sip:[email protected] -RegistrarPool FQDNTOPOOL -OU "CN=Users,DC=domain,DC=com"
  3. Associate your newly created Lync contact with your Hosted Voicemail Policy:
    1. Grant-CsHostedVoicemailPolicy -identity "sip:[email protected]" -policyname global

Lastly, if things still aren't working, make sure you have enabled federation with Office 365's exchange server for Unified Messaging by executing the following command:

  1. New-CsHostingProvider -Identity "Exchange Online" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification

[Office 365] Access to the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence" is denied

If you receive the error when configuring the Microsoft Directory Synchronization Tool to communicate with Office 365:
"Access to the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence' is denied"

Make you you right click and run the tool as an administrator 🙂

Microsoft Online Service Directory Synchronization Configuration Wizard in the Configuration step. The error