Tag Archives: Office 365

Office 365 - Single Sign-On for SharePoint, Skydrive, CRM, etc. via Smart Links

Update: I have released a smart link generator to have these items created automatically, please find this here: http://jackstromberg.com/o365-smart-linksso-link-generator/

Synopsis: One of the biggest problems I have seen with Office 365 is ease in accessibility to all of the Office365 resources.  As pointed out on many of the Microsoft forums, SharePoint, CRM, Skydrive, etc. do not automatically complete a single-sign on request when browsing the website.

Problem: When a user browses https://mydomain.sharepoint.com for example, the user is prompted to enter in their email address.  What a user expects is that they should automatically be logged in and see sharepoint when navigating to https://mydomain.sharepoint.com  Additionally, for whatever reason, users cannot remember the website address to https://mydomain.sharepoint.com  Instead, they want to do something like http://sharepoint.mydomain.com

Solution: Create name branded "fancy URLs" that will complete an idp claim to give the user a true SSO experience.

  • http://owa.mydomain.com
  • http://sharepoint.mydomain.com
  • http://skydrive.mydomain.com
  • http://crm.mydomain.com


  1. Open up Internet Explorer
  2. Navigate to https://mydomain.sharepoint.com
    Sign into Office 365
  3. Press F12 to open up the developer tools console (I am running IE 11, the console looks way different than previous versions of IE)
    Sign into Office 365 - Developer Console
  4. Scroll down and select the icon that looks like a little WiFi antenna
    Sign into Office 365 - Developer Console - Network
  5. Click the green play button
    Sign into Office 365 - Developer Console - Network - Start Capture
  6. Type in your email address as you would to login to sharepoint ([email protected])
  7. You should be redirected to your ADFS server and inside the network console, you should see a link like https://sts.mydomain.com/adfs/ls/?..................  Copy this link into notepad.
    Office 365 - Federated URL
  8. Remove the extra stuff from the debug console
    Office 365 - Federated URL - Notepad

    Office 365 - Federated URL - Cleaned - Notepad
  9. Remove everything from cbcxt=..... to wa=wsignin1.0
    Office 365 - Federated URL - cbcxt removed
  10. Remove the ct%3D1386214464%26 and bk%3D1386214464%26 parameters
    Office 365 - Federated URL - ct and bk removed
  11. Next, open up another new notepad document named index.html and paste the following text into it
    1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
      <meta http-equiv="refresh" content="0; url=https://sts.mydomain.com link goes here" /></head>


      Redirect to URL template

  12. Replace https://sts.mydomain.com link goes here with your new smart link and save the document.
    Redirect to federated URL
  13. Upload the index.html file to one of your your webservers
  14. Create a new A record called sharepoint.mydomain.com pointing to your webserver
  15. Now when a user browses http://sharepoint.mydomain.com, the user will automatically be redirected to your secure ADFS Proxy and authenticate automatically.

You will need to repeat the steps above for each of the Office 365 products your company uses.  The federated addresses do change, so you will have to follow all of the steps over again for each Smart Link you wish to create.


Here is an official article on creating smart links: http://community.office365.com/en-us/wikis/sso/using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

Yammer and Office 365 Enterprise

If you are on the enterprise plans of Office 365 (E4 for example), your users may be eligible to use Microsoft's enterprise social network called Yammer.  This article will cover a few questions I was curious about when rolling out Yammer as well as what to expect.

How do I tell if I am eligible?

  1. Login to the Office 365 admin portal (https://portal.microsoftonline.com)
  2. Click on included services on the dashboard
    Office 365 Portal - Included Services

How do I activate Yammer?

  1. If you are eligible for the Yammer service, click on the Yes, activate Yammer Enterprise for my network
    Office 365 Portal - Included Services
  2. Click on the Activate Yammer Enterprise button
    Office 365 - Activate Yammer Enterprise
  3. You will be redirected to a screen where you see a loading bar.  Grab a can of pop/coffee/tea/water and come back.
    Office 365 - Were activating Yammer Enterprise
  4. Click on the Create Yammer Account link once Yammer Enterprise has been provisioned.
    Office 365 - Yammer Enterprise is now ready
  5. Type in the same email address you use for your Office 365 Admin credentials
    Sign Up for Yammer
  6. If successful, you should see the screen below:
    Yammer - Thank you for signing up
  7. Check your email and click on the Complete Signup button
    Yammer Activation Email
  8. Type in your information and click the Next button
    Yammer - Welcome to the network
  9. Click Next on the who do you work with page, or spam your colleagues to sign up as well.
    Yammer - Who do you work with
  10. Join or create any groups you would like and then click Next
    Yammer - Join Relevant Groups
  11. Optionally, add a profile picture and click Save & Continue
    Yammer - Add your profile photo
  12. Click on the 3 dots in the top right corner and select Network AdminYammer - Network Admin
  13. Welcome to your Yammer Enterprise Admin portal!  Here you can manage all aspects of Yammer for your organization.
    Yammer - Network Admin - Dashboard
  14. Lastly, if you go back to your Office 365 Admin portal, you should see a link that will redirect you to the Yammer.com website.
    Office 365 - Admin - Yammer


Does Yammer support single-sign on or ADFS?

Currently, Yammer does not support this integration at this time.

Will Yammer find users previously signed up with email addresses from @mydomain.com?


Does Microsoft have plans on continuing to integrate Yammer and Office 365?

Yes, Microsoft has announced they would like deeper integration with Office 365, more specifically with functionality in SharePoint.  Quarter 4 of this year (2013) was their deadline for the first integration, and we have seen they have started to deliver.  However, there are no specific dates yet of when users will be 100% synchronized between the two systems.

When I activate Yammer on Office 365 for my organization will it email all of my users to create profiles?

No, they will have to manually join or you will have to manually send them invites to create a separate Yammer account.

AD RMS (Rights Management Services) for Office 365

Note: This guide is deprecated.  AD RMS is now supersceeded by Azure Information Protection.  If you have previously used this guide, review the following guide on Migrating from AD RMS to Azure Information Protection.


Those that have the following tiers of Office 365 are entitled to use Microsoft's AD Rights Management Service to help secure their documents:

  • SharePoint Online Enterprise (E1),
  • SharePoint Online Enterprise (E3 & E4),
  • SharePoint Online Midsized Business

Here is a list of compiled questions I wanted to know when trying AD RMS for Office 365.

What is AD Rights Management Services?

Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information.

Are their any examples of using AD Rights Management Services?

Office 365 did a pretty good job covering the concept of using AD RMS as well as how to use AD RMS.  You can find the full tutorial here, however their official YouTube video covering this has been embedded below:

How do I deploy or enable AD Rights Management Services for Office 365?

  1. Login to your Office 365 Administration Portal
    1. https://portal.microsoftonline.com/
  2. Select service settings on the left side navigation
    Office 365 Admin Portal - Service Settings
  3. Select the rights management tab and click on the Manage link
    Office 365 Admin Portal - Service Settings - rights management
  4. The Manage link should redirect you over to activedirectory.windowsazure.com and present you a big activate button.  Click the activate button.
    Activate Office 365 RMS
  5. Click activate on the Do you want to activate Rights Management? prompt
    Do you want to activate Rights Management
  6. After clicking the activate button, you should now see Rights management is activated on the windowsazure.com page
    Rights management is activated

How do I create more policy templates for AD RMS using Office 365 or Windows Azure?

As pointed out in the following Office 365 forum article: http://community.office365.com/en-us/forums/148/t/177332.aspx

By default, in a pure Office 365 environment, we can get 3 RMS Templates in Windows Azure Rights Management. If we have an on-premises server running Active Directory Rights Management Services (AD RMS), we can get more via import a trusted publishing domain (TPD). So, without on premise server, we just can get default 3 Templates.

I enabled AD RMS for Office 365, but I don't see any options in Office 2010.  How do I get Office 2010 to use AD RMS?

Since you are more than likely on the E4 tier, I would highly recommend downloading Office 2013 from your Office 365 portal and installing that.  Office 2013 from the Office 365 portal comes preconfigured to work more fluidly with AD RMS.  However, if you need to use Office 2010, you can complete the following steps as documented on the following technet article: http://technet.microsoft.com/en-us/library/jj585031.aspx#sectionSection1

Can people outside my organization open protected documents with AD RMS (not apart of my domain)?

Short answer, Yes.  Long answer, they are required to create a Microsoft account using their email address (Gmail, AOL, Yahoo, etc) to authenticate themselves.  Below are some screenshots of the registration process; I have copied them from the following technet article for archival purposes: http://blogs.technet.com/b/rms/archive/2013/08/29/the-new-microsoft-rms-is-live-in-preview.aspx

RMS Login


RMS Login 2

RMS Login 3

How can an Office 365 customer purchase Microsoft Rights Management Services (RMS)?

Active Directory RMS is already included in the Office 365 Enterprise E3, and E4 plans and the Education A3 and A4 plans. RMS is also available as an add-on in the E1 and A2 plans. Consumption of rights-protected content is free. A license is required to protect content.

Where did FOPE go in the Office 365 Admin Portal?

Today a coworker logged into one of our Office 365 Admin Portals and noticed that the Forefront Online Protection for Exchange (FOPE) link was removed to manage mail flow rules.  After searching the entire admin panel, turns out Microsoft removed access to FOPE and has instead integrated a new "mail flow" area to manage the Exchange rules.  While this is all good and fine, would have been nice to get an email saying the changes to the portal were going to be done.

Any who, here is where you can now begin to create/edit/delete your mailflow rules (note, all previous rules were automatically migrated from Forefront Online Protection for Exchange (FOPE) to what is now called Exchange Online Protection (EOP).

  1. Login to Office 365 Admin Portal
  2. Click on Admin -> Exchange
    Office 365 Admin Portal - Exchange Link
  3. Select the mail flow link on the left
    Exchange admin center - mail flow
  4. On the rules tab, you can now manage all of the mail rules as you would have done in FOPE.
    1. In the picture below, you can see some of the rules that were automatically moved from FOPE over to Microsoft's new system (Migrated FOPE Policy Rule ID: xxxxxx).
      Exchange admin center - mail flow - rules


Notes: It looks like Microsoft has released one official knowledge base article regarding this, which can be found here: http://technet.microsoft.com/en-us/library/dn308542%28v=exchg.150%29.aspx

[Office 365] - Forwarding email from one mailbox to another with ADFS turned on

Synopsis: Employee leaves on personal matters for a month and their department lead requests for mail to be forwarded to their manager.  Typically, mail forwarding would be setup inside of the Exchange console, however, in this case, Exchange is managed by Office 365 (not a hybrid exchange deployment) and the users are being federated to Office 365 via ADFS.  When trying to enable mail forwarding, as outlined in the this help document by the Office 365 team http://community.office365.com/en-us/wikis/exchange/how-to-forward-email-in-office-365.aspx, I would receive an error message.

Symptom: When enabling mail forwarding for the user inside of the Office 365 Exchange portal, I received the following error message:

The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'Firstname Lastname' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.


Personally, I think this is a bug in Office 365, but they say it is because we are on premise (if all of exchange is managed by them, how can they not enable mail forwarding?).  Any who, the work around is to manage the user's mailbox and set forwarding up as if they would.  See the steps below to achieve the same result:

  1. Login to your Office 365 admin portal.
  2. Click on the Admin dropdown and select Exchange
  3. Once in the Exchange portal, click on your username and select Another user...
    Exchange - Another User
  4. Type in the mailbox you want to edit and click ok
    Select Mailbox
  5. On the "Managing on behalf of" screen, select Forward your email
    Exchange - Forward Your Email
  6. Scroll down to forwarding and type in the email address of the user you want all emails to go to and click start forwarding.  You can optionally select if you want to leave a copy for the user's mailbox or have them silently forwarded.
    Exchange - Start Forwarding
  7. That's it! 🙂

Lync On-Premise with Office 365 Federation - error ID 403

When communicating to hosted companies in Office 365 from an On-Premise Lync environment, I had begun seeing the following symptoms:

  1. Presence defaulted to Unknown for federated contacts:
    Lync Presence unknown
  2. When joining someone's meeting or sending them an IM, I would see the following:
    "When contacting your support team, reference error ID 403 (source ID 239)."
    Lync Meeting Error ID 403 (Source ID 239)
  3. Inside of event viewer, I saw:
    403 Forbidden
    ms-diagnostics-public: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="othercompanydomainon.com";PeerServer="sipfed.online.lync.com"
    Lync Office 365 Federation Error


Interestingly enough, even though you have an On-Premise Lync environment, it appears that Office 365 will tie back to your account for some settings.  In my case, I had not enabled federation to other PIC providers on Office 365.

To resolve the issue, please follow the steps below:

  1. Login to the Office 365 Admin Portal
  2. Click on Manage Lync
    Manage Lync - Office 365
  3. Click on the External communications tab and ensure the following settings:
    1. Domain federation mode: Turned on for all domains except blocked domains (you can switch to the other mode, just keep in mind you will have to whitelist every domain you are enabling communication with)
    2. Public IM connectivity mode: Enabled
    3. Lync - Office 365 - External communications
  4. Next, head over to the Lync Online Control Panel for your on-premise Lync deployment.
  5. Select the Federation nand External Access tab and then select SIP Federated Providers
  6. Ensure you have created a rule for the provider LyncOnline that is federated to sipfed.online.lync.com
    Lync - SIP Federated Providers

    1. To create the provider via the Lync Server 2013 Control Panel
      1. Select New... and then click Hosted Provider
        1. Enable communications with this provider: Checked
        2. Provider Name: LyncOnline
        3. Access Edge Service (FQDN): sipfed.online.lync.com
        4. Click Commit
    2. To create the provider via PowerShell, execute the following command:
      1. New-CSHostingProvider -identity LyncOnline -ProxyFqdn sipfed.online.lync.com -Enabled $True

Wait a few minutes for the changes to take effect, exit out of your Lync client on your workstation, reopen and you should now be able to communicate to your federated partner.

Attempts to route to servers in an Exchange UM Dialplan failed - Lync 2010-2013

Symptom: When trying to check your voicemail from Lync, you notice that you call gets dropped/disconnected.  Inside of the front end server, you notice the following error log:

Attempts to route to servers in an Exchange UM Dialplan failed

No server in the dialplan [Hosted__exap.um.outlook.com__mydomain.onmicrosoft.com] accepted the call with id [c347a4ecc6e74651a2bdce6c43552e53].

Cause: Dialplan is not configured properly.


Check the configuration of the dialplan on Exchange UM Servers.

ExUM Error

Solution: Unfortunately, this seems to be caused by a couple of different things, so I would give all of the following below a shot.

First, make sure you have created a Unified Messaging plan in your Office 365 Exchange Control Panel:

  1. Login to https://portal.microsoftonline.com/
  2. Click the Manage link next to Exchange on the dashboard
    1. Exchange Manage
  3. Click the Phone & Voice tab
    1. Phone & Voice
  4. Ensure you have a UM Dial Plan with the number you used in the New-CsExUmContact powershell command you ran earlier.  Your settings might differ on the screenshot below, but just make sure you have SIP URI selected.
    1. New UM Dial Plan
  5. Select your policy from the UM Dial Plans list and click the Configure UM Dial Plan button as shown below:
    1. UM Dial Plan Configuration
  6. Make sure you configure the number you want your users to dial to access their voicemail in the E.164 routing numbers for your SIP server and Numbers for users to access voice mail boxes.
    1. Configure Voicemail Plan


If your running Lync 2010/2013 at the same time, check out this option in topology builder to make sure you have enabled federation:

  1. Open up the Lync Server Topology Builder
  2. Download the latest topology
  3. Right click on the first site (the node under Lync Server) and then click Edit Properties...
  4. Scroll down to Site federation route assignment and make sure Apply federation route assignments to all sites is checked.
  5. Make sure Enable sip federation is checked as well and then click OK
  6. Click on Action->Topology->Publish...

If the above doesn't work, try running the following powershell commands on your front-end server.

  1. Modify the global hostedvoicemailpolicy (make sure to use your onmicrosoft domain name, not your FQDN you would use normally):
    1. Set-CsHostedVoicemailPolicy -global -Destination exap.um.outlook.com -Organization domain.onmicrosoft.com
  2. Create Lync contact for Hosted UM (make sure to set the number as the same one in the Office 365 Unified Messaging area. The last value below can be changed to put the UM contact that will be generated in AD, in any OU of your choosing; I just picked the default users one for simplicity.
    1. New-CsExUmContact -DisplayNumber +15555555555 -SipAddress sip:[email protected] -RegistrarPool FQDNTOPOOL -OU "CN=Users,DC=domain,DC=com"
  3. Associate your newly created Lync contact with your Hosted Voicemail Policy:
    1. Grant-CsHostedVoicemailPolicy -identity "sip:[email protected]" -policyname global

Lastly, if things still aren't working, make sure you have enabled federation with Office 365's exchange server for Unified Messaging by executing the following command:

  1. New-CsHostingProvider -Identity "Exchange Online" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification

[Office 365] Access to the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence" is denied

If you receive the error when configuring the Microsoft Directory Synchronization Tool to communicate with Office 365:
"Access to the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence' is denied"

Make you you right click and run the tool as an administrator 🙂

Microsoft Online Service Directory Synchronization Configuration Wizard in the Configuration step. The error

[Office 365] Delete a user account sitting in Recycle bin

Normally, user accounts that are deleted within Office 365 sit in "The recycle bin" where they can be recovered if needed. You can't, however, delete users from that gray area within the web GUI. If you wanted to, say, delete and remove the license from a user and create a non-licensed shared mailbox, you're boned without emptying it from the recycle bin first.

Before you start,you'll need Microsoft Online Services Module for Powershell

  • http://onlinehelp.microsoft.com/Office365-enterprises/ff652560.aspx

To remove a specific user account from the Recycle Bin

  1. Connect normally, except add in connecting to the MSO server
    1. $LiveCred = Get-Credential
    2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    3. Import-PSSession $Session
    4. Connect-MSOLService -Credential $LiveCred
  2. The ReturnDeletedUsers switch returns accounts found in the recycle bin. To return all:
    1. Get-MSOLUser -ReturnDeletedUsers
  3. If you find the account you want to remove, it's a simple cmdlet to do so: where "Email Address" is the upn of the actual account
    1. Remove-MSOLUser -UserPrincipalName "Email Address" -RemoveFromRecycleBin
  4. If you're removing an account in order to recreate it, you'll have to wait 5-10 minutes before O365 will allow you to recreate over the deleted account.

If you don't have a problem nuking them all, you can empty all via piping the get to the remove

#Haven't tested this one; have a nagging you may need to fill an array and foreach through all the elements actually.

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force