Active-Directory

Connecting to Exchange Online was only possible with an account that did not have MFA enabled because it only can handle basic authentication. This is an issue because Microsoft advises us to have accounts that can do administrative tasks to have MFA enabled. Now we must choose between an account that has no MFA and a possible security breach and an account that cannot connect to Exchange Online.

To solve this, we had an account that was disabled by default and when we had to do Exchange tasks we enabled it. This is a solution but not a great one.

This year of SharePoint Saturday’s started with the one in Munich last weekend. This time there was also a preconference session on Friday. The sessions on Friday and Saturday were held at the brand-new building of Microsoft Germany.

Friday session

This year they organized two preconference sessions. A developer one about Office Dev PnP and an IT Pro about SharePoint 2016. I went to the SharePoint 2016 session where they talked about all the aspects of SharePoint 20116. They started with the architecture and the differences between SharePoint 2013 and 2016. They also explained where the issues were and how to solve them. After the architecture session we went into the authentication options within SharePoint and the hybrid identity. Here we looked at the identity options within Office 365 and the options to get your on-premises users into the cloud. Also, the dependencies where discussed like ADFS on-premises and your local internet line is down. After the lunch break we had a session about PowerShell and the Office Dev PnP PowerShell module that is available for on-premises and Office 365. We ended the day with setting up Hybrid. Thomas did a complete hybrid setup in just 1 hour with some preparations that he did on forehand. The most important part of the hybrid setup of Office 365 is that your identities are available in Office 365. When you have, that part done and your SharePoint farm can talk to the internet you can run a simple wizard from the SharePoint Online admin portal to setup the hybrid farm. This wizard will setup:

Since a Microsoft Teams depends on Office 365 Groups and creating a Microsoft Team creates an Office 365 Group I wanted to know if it was possible to upgrade an already existing Office 365 Group to a Microsoft Team.

This is possible but you need to keep a few things in mind to have the ability to upgrade a Microsoft Team. So let’s first start at the beginning, creating a Microsoft Team can be done within the Microsoft Team application by clicking on “Create team” and you will get this simple screen to create a new team

In the last week of 2016 I was working on some issues that some users in certain groups were not synchronized to Azure AD. The users itself were in Azure AD but the group membership did not sync. The problem here was that the users were in another forest than the group.

At this customer, we have multiple forests with users from the different countries and they start to work together more and now we had some complaints that the users where not able to access resources while they placed them in the correct groups. The issue that we had was that the synchronization removed the users from the other forests from the group membership during the synchronization.

Since some time we have the ability to see the health of the Azure Active Directory Connect in the new portal (https://portal.azure.com) and since a few days I saw that the sync errors are now displayed in this blade as well. This is a great addition, because it will give a better overview of the synchronization errors than the email you get every 30 minutes. I also have noticed that there are rules created to move this email to another map when it arrives because it gives a lot of clutter in the mailbox.

A week ago Microsoft released the public preview of the Azure B2B invitation API. I have seen this at Ignite in September that they were working on that. The announcement can be found here https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/azuread-b2b-invitation-api-is-now-in-public-preview/

With this announcement I went looking into this what other options there already are for inviting a partner into your AD. The options at this moment are:

• Upload CSV file thru https://manage.windowsazure.com
• Add a user in the new portal https://portal.azure.com
• Invitation API in the Microsoft Graph

With these three options you have a way for every kind of administrator. The csv function is a simple way to invite a larger group of users, but not the easiest one to work with. The UI in the new portal is a lot easier and integrates with adding a normal user to your AD. When the input recognizes a username with a domain not known to the Azure AD it will ask to add a personal invite message and will send an invite to that user.

This week I was trying to find a good way to disable the creating of Office 365 Groups from creating. I love the functionality of Office 365 Groups but it is still missing some key elements from using in a large corporation. The main thing missing is the ability to have naming convention, now you say but they released that. Well that is partly true. The naming convention is only applied when you create an Office 365 Group in Exchange, Outlook or the Groups app. When you create a group from Planner or any other application using groups the naming convention is not applied. This is because the naming convention that you can set is done within Exchange. This naming convention is initially meant for distribution groups but also applies for Office 365 Groups when created from the Exchange endpoint. This also applies to the creation of Office 365 Groups. You can disable this, but that only applies to the same 3 applications as the naming convention

A few weeks ago we got a few users telling us that they were not able to sign in to Office 365 with an error message “AADSTS50107: Requested federation realm object does not exist”. After searching the internet I only found errors with a whole domain not able to sign in because it was a subdomain and that was not recognized by Office 365. The affected users where able to sign in to other applications on ADFS and other users where able to sign in to Office 365 with that same domain name. This was a strange issue because the error would suggest that everybody should have an issue and not a few users on the domain.

Last week I had the privilege to attent Microsoft Ignite in Atlanta. This week was full of news, sessions and a lot of walking. Besides the sessions, this year the expo hall was large, I have spend a lot of time at the expo talking to venders, partners and Microsoft.

I have created a PDF from all my notes. On a few notes I have references to slides, the slides should be come available on https://myignite.microsoft.com/videos. On this site are also all the videos.

This week I will attend Microsoft Ignites 2016 conference in Atlanta. To make it easier for everyone to follow me I have created a OneNote that I will use to share my notes.

You can find that OneNote here: https://arjansp.nl/Ignite2016Notes