Office 365

How to change the ADFS 2.0 URL in a deployment used with Office 365

I just wanted to share an good article I followed yesterday when I needed to change the URL and therefor also the certificate in a Office 365 ADFS setup:

Remember always to use a public certificate in production environment and this is also required if you need SSO for you Office desktop deployment. You also required to use ADFS Proxy or publish ADFS though TMG if you need to use SSO.

I found this great video that explains how to publish ADFS though TMG:

!!!Remember as it also shows in the video, when creating the web listener and you are using a star(*) certificate like *, that you type * in the Internal site name.

, , , , ,

No Comments

Microsoft Campus Days 2011 – Day 2


Day 2 of Microsoft Campus Days 2011 started with a sort of keynote session called “A World of Smart Devices” and the speaker was Søren Lau, Director of Channel Group in Denmark, Microsoft.

Søren also talked a lot about “Consumerization of IT” and how this is partly build upon the users walking into the companies with all these smart devices. He hat a lot of all the new smart devices on stage and talk about each of them. One of the devices that I would like to own is the Sony Vaio Z.


Now to the day 2 sessions were I attended the following sessions:

  • C03 – Implementing of Microsoft Office 365: Plan, Prepare and migrate
  • I08 – System Center Service Manager 2012
  • I10 – System Center Orchestrator 2012
  • I12 – System Center Orchestrator 2012 and Automated Self-Service
C03 – Implementing of Microsoft Office 365: Plan, Prepare and migrate

Speaker: Haythum Auda, Enterprise Techonology Architect, Microsoft & Henrik Jørgensen, Microsoft Arkitekt, Microsoft

I already know a lot of Office 365 and how you are able to implement it into your business, but it’s always good to get a refresh of the knowledge that other people are brining to the table and that way I went to this session and maybe I was able to learn something new or remember something I had forgot (Which I normally never do :-)

I didn’t learn that much new stuff at this session, but one think the two speakers addressed quite good was the point that you need to make sure you have done all the preparation as good as possible, this also include checking all the prerequisites and informing the users as good as possible. They talk about how they always make a “Solution Alignment Workshop“ with the customer/users so they get all tasks in the migration process written down.

I08 – System Center Service Manager 2012

Speaker: Anders Ravnholt, Senior Business Development, Microsoft

This was a very exciting session were I was pleased to see that Microsoft has done a good job by optimizing and adding new features to System Center Service Manager 2012 (SCSM)

The focus in the development of SCSM 2012 has primarily been the following:

  • Better self-service portal
  • CMDB integration with SCVMM 2012 and System Center Orchestrator 2012.
  • Better integration with SCOM, SCCM, AD etc.
  • Release Management
  • Data Warehouse & Reports with OLAP

Anders also mention that there will be integration from SCOM to Microsoft Azure and then the information’s/alarms will be able to be use in System Center Service Manager.

The SCVMM 2012 & System Center Orchestrator 2012 integration in SCSM 2012 will be able to automatic collect objects from the different library’s at import then into the CMDB. The objects that can be collected could be:

  • RunBooks
  • Clouds
  • Templates
  • Services
  • VMs
  • Fabrics
  • Users

In SCSM there are also focus at the service catalog which is a part of the self-service portal, so the users will get a nice overview of which services they have access to.

Anders also showed a demo of how you are able to extract KPI reports directly from Excel via OLAP cubes and PowerPivot, without the need of knowing SQL queries.

I10 – System Center Orchestrator 2012

Speaker: Jakob Gottlieb Svendsen, Senior Consultant from Coretech A/S

Back in December 2009 Microsoft bought the company Opalis Software which is a company that made a product were you can make workflows and orchestrate different tasks in the Microsoft world. Microsoft is now ready to ship the first product made by this acquisition of Opalis and they have named it System Center Orchestrator 2012.

I think there is a huge potential in this product, not only because you are able to automate a lot of administrative task, but because of the extensive integration into other Microsoft products and the rest of the System Center suite.

This was also what Jakob talk a great deal about in this sessions and he could also show how easy it is to make a workflow and integrate it into the self-service portal. He made a demo where he made a workflow where a user can request access to a AD group and before he gets the access it needs an approval by the users manager.

In System Center Orchestrator 2012 the integration to 3. party programs is made by integration packs and a lot of vendors have already made there integration packs, like IBM, VMWare, HP, IBM TSM etc.

There are also starting a big community around System Center Orchestrator and by using the Quick Integration Kit (QIK), users/administrators are able to make there own integration pack to support there infrastructure.

I hope to get some more time to test System Center Orchestrator and hopefully write some more about it.

I12 – System Center Orchestrator 2012 and Automated Self-Service

Speaker: Jonas Ullman, Solutions Architect, GridPro and Patrik Sundqvist, Solutions Architect, GridPro

These two guys made a lot of demos which was really inspiring and made want to try it myself even more.

They made a demo where they where able to provisioning VMs in Hyper-V and also Services in SCVMM and make it accessible form the self-service portal. If you think about it you will in the near future be able to make an IaaS solution.

I also talk to a couple of Microsoft employees after this session and asked them about an integration into Office 365, they mention something about a product/integration pack that might be called “Orchestrator 365”, so lets see if there will be any information about this soon.

, , , , , ,

No Comments

Microsoft Campus Days 2011 – Day 1


A few weeks ago I went to Microsoft Campus Day 2011 in Copenhagen, Denmark. It was three days stuffed with sessions from Microsoft, Microsoft partners and Microsoft MVPs. So in this series I will try brief to sum up what I saw and heard at the conference and what my opinion is about the different subjects.


The keynote was held by Microsoft Mobility Architect – Darren Hall and the main topic was “Consumerization of IT”. He talk about how the IT department need to change there strategy so they are able to support all the new devices that the users are brining into the company and connecting to the network.

I think “Consumerization of IT” is a very exciting topic to follow and we can already now see now how this is impacting the IT infrastructure and how everyone is talking Bring Your Own Device (BYOD).

BYOD is just not an answer to anything, it’s just a expression that some companies would like to be able to support, so they can satisfy there users demands to use MacBook’s, Smart Phones and Tablets at work. But in most cases these demands don’t come from the regular user but more from the top level users (CEO. CTO, CFO etc.). The regular user will in most case be satisfied by getting a corporate laptop or desktop and maybe even leave it at work (if laptop) and don’t bring work home.

Now I can talk hours about this but let’s get on about how Microsoft is targeting this. Darren Hall pointed out two types of devices – trusted devices and untrusted devices, the trusted devices are the domain joined devices and the untrusted devices are the non domain joined devices. Now I think this is a good way to look at devices at, but as Darren Hall also pointed out, just because the device are trusted doesn’t mean that it’s secure.

Just because we can control the device and manage it when it’s member of our domain, doesn’t secure the device and by that secure the data anymore, it’s way more difficult than ever to secure the data and the reason for this is due to the following reasons:

  • Smart Phones
  • Cloud Services
  • The electronic generation is here

I won’t explain in deeps of all the security issues surrounding these three subjects, but here is some hard facts you can try put togheter:

  • Smart Phones:
    • Exchange, Gmail, Hotmail etc. Smart Phones
    • 3G support
    • Cameras
  • Cloud Services
    • Gmail, Office365, hotmail are cheap
    • Sales Force
    • DropBox
  • The electronic generation is here
    • In 2012 1 out of 4 users that are hired is born and raised in the electronic world
    • This will change to 1 out of 3 in 2025

Keynote 2

Now the second keynote of the day 1 was held by Microsoft Division Manager – Nana Bule and the main topic was the future of the workplace. This topic is also greatly impacted by the Consumerization of IT, so she also talked a little about this. But the best think I think she did was to show a live demo of how Microsoft sees the future workplace by inviting some fellow Microsoft employees onstage and then do a full demo of almost all the products of the Office 2010 suite, of course this was not the normal Office 2010 suite, but the demo was actually done on Office 365.

Now Office 365 is a very exciting product and I was glad to to see the demo being done without any problem at all, very nice. She had a lot of customer cases to show, including some very big enterprises.

She also mentioned that they are working hard on the next version of Office called Office 15 (Office 201 = Office 14) which will be focusing on the touch screen and will properly be released around the time Windows 8 will be released.


Now to the sessions, I went to the following session at day 1:

  • I01 – System Center 2012 Overview and Vision
  • I04 – System Center Virtual Machine Manager 2012
  • I05 – Windows Server ”8” Hyper-V
I01 – System Center 2012 Overview and Vision

Speaker: Anders Ravnholt, Senior Business Development, Microsoft

In this session Anders Ravnholt gave us a short overview of the upcoming System Center 2012 suite and what’s behind the choices Microsoft have made in the development of System Center 2012.

Microsoft has there focus on services and to make these services available to the users. So instead of focusing on the device they are finally focusing on the user. This means that they now see two types of people:

  • Service Provider = Datacenter Admin (Administrator)
  • Service Consumer = Application Owner (User)

Now the focus in System Center 2012 is to make it easy for the Service Provider to administrate, support and deliver the services to the Service Consumer, but there are also a great deal of focus on cloud and how to manage these cloud services. Microsoft has a goal that it will be possible to manage everything from one console no matter if it’s psychical, virtual, IaaS, SaaS or PaaS. The product they will do this with is System Center 2012 App Controller also known as “Project Concero”.

Anders Ravnholt also mentioned that’s it’s important to focus and get the SLA between the Service Provider and the Service Consumer correct. The product that will help you with this is System Center 2012 Service Manager (SCSM), which is Microsoft’s answer to a complete ITIL certified Service Desk tool including CMDB, Self-Service portal and Data warehouse. SCSM looks like a very promising product, especially because of deep integration between other System Center product, such as System Center Operation Manager, System Center Configuration manager and System Center Orchestrator.

I04 – System Center Virtual Machine Manager 2012

Speaker: Jacob Laue Petersen, Senior Consultant, MindZet A/S

One of the products that have got a big upgrade in System Center 2012 is System Center Virtual Machine Manager (SCVMM) and in this session Jacob L. Petersen talk about some of the new features and a little about what the different functions’ are called in SCVMM if you know them from VMware, like this:

Hyper-V VMware
Dynamic Optimization (DO) Distributed Resource Scheduler (DRS)
Power Optimization (PO) Distributed Power Management (DPM)

Besides that he showed a lot of demos, one of them being how to make Service Templates simply by drag/drop elements into the designer.

I05 – Windows Server ”8” Hyper-V

Speaker: Brian Lauge Pedersen, DataCenter Technology Specialist, Microsoft

Unfortunately Brian was not able to make any demos of Windows 8, because internal Microsoft policies said that someone from Microsoft Corporate shall be present every time a demo of Windows 8 is made. So instead Brian had cut some video from the Microsoft //BUILD conference last month together showing some of the new features in Windows 8 Hyper-V.

There are no doubt that Microsoft 8 Hyper-V also will have a big focus on cloud, both public and private. He showed how Hyper-V will support InifiniBand via RDMA and SMB 2.2 where they are able to exceed the performance of the PCI-X bus.

Besides of InifiniBand support, they will also have the following new features: SMB 2.2, NIC teaming, local storage migration and Hyper-V Replica.

This was the end of day one and I will post my day 2 notes shortly.

, , , , , ,

No Comments

Federation in the Cloud – Enable Free/Busy

Today I had to test how federation will work between two organizations in Office 365. The goal was to get the free/busy function to work, so users from one organization will be able to see free/busy status from user in another organization when booking a meeting in Outlook.

So this should be straight forward, because both organizations are already federated with the “Microsoft Federation Gateway” and therefore the only think needed is to create a new organizational relationship between the two organizations, but there were some bumps in the way and thus this article.

Environment overview

So the first think I did was to buy two domains and two Office 365 E3 plans, I did this at our local Office 365 syndication partner, so all the domain and DNS validation was fully automated and I was on my way very quickly.

The next thing I did was to create a normal user in both organizations and assigned them the Exchange license.

Next I installed two Windows 7 desktops in my virtual environment and install the Office 2010 Professional Plus on both of them. I registered the subscription on the two office installations with the users I just created, one in each desktop. 

Then I started Outlook in both desktops and added the Exchange account for each user by using the auto discovery.

So now the environment looks like this:

Organization 1:

User: user1
Desktop: Win7test1
Software: Office 2010 Professional Plus

Organization 2:

User: user2
Desktop: Win7test2
Software: Office 2010 Professional Plus


Organizational Relationship

This Microsoft article describes how to configure an organizational relationship between two organizations in the cloud:

But here is how I did it…

Note! This is a one-way relationship, so it also has to be done in the other organization if you want a two-way relationship.

First logon on as an local administrator on a desktop you have PowerShell and WinRM installed on. If you use Windows 7, this is already installed. In this article I just used on of my virtual desktops (Win7test1).

  1. Now open PowerShell as an administrator 
  2. Set the Execution Policy to RemoteSigned image

    Set-ExecutionPolicy RemoteSigned

  3. Now you need the Exchange Online cmdlets and they can be imported the following way, which also will connect you to your Office 365 cloud. 

  4. Set the $LiveCred variable with the admin user and passwordimage

    $LiveCred = Get-Credential

  5. Now create a session to the cloud

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic –AllowRedirection )


  6. And then import the sessionimage

    Import-PSSession $Session

  7. Now you have the cmdlets and we can start creating the organizational relationship. Remember this relationship will enable the other organization ( to see free/busy for users in this organization ( 
  8. As the Microsoft article describes you just have to run one command, but this is not entirely true, first we need to enable organization customization, by running the following image


    Then we can run the command:

    Get-FederationInformation -DomainName <the other cloud-based organization> | New-OrganizationRelationship -Name <the other tenant domain> -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails


    Get-FederationInformation –DomainName | New-OrganizationRelationship –Name domaintest2 -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

  9. Now your set and the organization relationship should work and remember this is a one-way relationship, so if you want user from to also see the free/busy from the users in, the same for that organization, by connecting using the admin user for that organization. 
    To see a user free/busy status, then simply type the users mail in the “All Attendees” pane in the “Scheduling Assistant”, see beneath:

    You might experience that you get the following error and this is just because the servers are slow or busy. The information should arrive at some point, if not then try restart Outlook :

If the users want more information than just free/busy, they can simply change the Default “Calendar Permissions” .

, , , ,

No Comments

Office 365 launch – How to buy?

Office 365 is launching today which means that you will be able to buy Office 365 today. There are different ways to buy Office 365, you can buy it directly from Microsoft or from one of the Microsoft Office 365 syndication partners.

The difference between buying Office 365 directly from Microsoft and from a Office 365 syndication partner is the following:

If you buy directly from Microsoft:

  • You have to buy using a credit card (Visa/Mastercard/American Express)
  • The minimum subscription is one year
  • You will get the bill from Microsoft
  • You will only have the English support that Microsoft provide

If you buy Office 365 from a Microsoft syndication partner:

  • You can get monthly subscriptions
  • You can get a monthly bill
  • You don’t have to pay with credit card
  • You will receive the bill from the Syndication partner and not Microsoft
  • You will have access to the support provided from the syndication partner, which will normally be in the local language. The syndication partner support also have a direct line to the Microsoft Office 365 team


, ,

No Comments

Office 365 Jump Start


Adam Carter aka “Adam Bomb” has published 15 videos on how to Jump Start Office 365 for IT Pros. You can see them all her:

, , ,

No Comments

Office 365 GA on June 28th

Last Friday Johan Roskill, Microsoft Corporate Vice President – World Partner Group, announced though Twitter that the public release of Office 365 will be June 28th.

June 28th is the date for General Availability of Office 365! > 100,000 real customers on beta…Partners, are you ready??? 

I’m really looking forward to see the first customers online and to see how big an impact this will be on Google Apps. But keep in mind that it’s properly not all features that will be supported from day 1 of GA, I think something like Lync voice (Plan E4) will be delayed a couple of month.

, ,

No Comments

How Does ADFS Work With Office 365?

You might know something about Microsoft Active Directory Federation Service (AD FS) or maybe not, but basically it’s a Microsoft feature that enables SSO (Single Sign-On) between two domains/forest without using a normal domain trust relationship as many people might know it.

ADFS is NOT a trust between two domains, instead it uses a claims-based model, where claims are issued in SAML tokens and processed based on different rule sets by the claim engine which have three primary tasks:

  1. Accepting incoming claims roles (acceptance rules)
  2. Authorizing claims requesters (authorization rules)
  3. Issuing outgoing claims (issuance rules)

Besides the claim engine which process the claim rules, ADFS have three main relationships to control this entire function.
These three relationships are:

  • Attribute Store
    This is where ADFS get’s the users and there attributes from, this is normally Active Directory but ADFS also supports LDAP an SQL
  • Claim Provider Trust
    This is where the trust between the ADFS server and the claim provider is configured. Based on a set of rules called the “Acceptance Transforme Rules” the claims from the claim provider will be filtered or pass though to the “Relaying Party Trust”. You can say that In Office 365 the claim provider is the “Authentication platform”.
  • Relying Party Trust
    This is where the trust between the ADFS server and the relaying party is configured. Here the ADFS controls which users have access to the relying party based on the “Issuance Authorization Rules” and then it issues claims to the relaying party based on “Issuance Tranform Rules”. You can say that in Office 365 the relying party is the Exchange Online, SharePoint Online etc. But in reallity it’s properly more the “Authentication Platform“.

All this might be a little hard to understand so I recommend reading the documentation Microsoft provides on understanding key concepts of ADFS, which can be found here

Here is how Microsoft has drawn the Claim pipeline:



But don’t be afraid, Microsoft has a nice and easy guide how you setup this for Office 365 and your domain. This guide can be found on the Ofiice 365 portal under Management-> Users -> Next to Single sign-on click “Set up”

Ross Adams – Senior Program Manager at Microsoft had a very good presentation at TechEd 2011of how ADFS works against Office 365. You can see the whole presentation here: Microsoft Office 365: Identity and Access Solutions.

I have done a little video and PowerPoint editing and will try to explain the three ways ADFS will work with Office 365 as Ross Adam also explains in his TechEd session.

First scenario is where a user is trying to access one of the web based apps from it’s domain joined client:

This movie requires Flash Player 9

What happens in the flash animation above is the following:

  1. The users hits the web based app.
  2. The web based app says that you need to authenticate and it returns URL to the Authentication Platform
  3. The Authentication Platform then takes the domain/UPN the users typed in and knows if it a federated domain/UPN, so it returns another URL to the client that points to the ADFS server.
  4. The ADFS server will ask the user to authenticate via Kerberos or NTLM and when the user is authenticated, the ADFS server gives the user an SAML token including the claims: UPN and Source User ID (ImmutableID).
  5. The client embeds this token in the old URL and sends it of to the Authentication Platform
  6. The .Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login
  7. So it gets back to the client and then off to the web app.


Second scenario is where the sign in assistant is used for accessing Lync Online from a domain joined client:

This movie requires Flash Player 9

What happens in the flash animation above is the following:

  1. First the user login to there machine/client
  2. After they login the sign in assistant kicks in
  3. The sign in assistant already know the UPN etc. of the user and goes directly to the Authentication Platform
  4. The Authentication Platform return the URL to the sign in assistant pointing to the ADFS server .
  5. The sign in assistant then goes to the ADFS server and authenticate via Kerberos or NTLM and when the it’s authenticated, the ADFS server gives the user an SAML token including the claims: UPN and Source User ID (ImmutableID).
  6. The sign in assistant take the token to the Authentication Platform
  7. The Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login.Note all above happens at logon and the users doesn’t see it.
  8. Now the user starts Lync
  9. Lync connects to Lync Online
  10. Lync Online request a Auth. Token
  11. The client have one of those and sends it to Lync Online.

Third scenario is the same as above (Lync onlin) but now with Outlook/Active Sync

This movie requires Flash Player 9

What happens in the flash animation above is the following:

  1. The user login and the sign in assistant kick in as above and do the round-trip to get the Auth. token.
  2. Now the user starts Outlook
  3. Outlook connect to Exchange Online and it will request Basic authentication
  4. The user will get at prompt and here they need to type in there username with an UPN ex. they can save this, but they will get prompted the first time.
  5. This will be send off to Exchange Online
  6. Now Exchange Online does a trick called “Proxy Auth” where it creates a shadow representation of the user.
  7. It then take the domain/UPN from the basic authentication and sends it to the Authentication Platform.
  8. The Authentication Platform returns with the URL to the ADFS server.
  9. Exchange Online then takes the basic authentication credential and sends them to the ADFS server.
  10. The ADFS server authenticate with the basic credentials and converts them to a SAML token including the claims: UPN and Source User ID (ImmutableID).
  11. This comes back to Exchange Online
  12. Exchange Online sends it to the Authentication Platform
  13. The Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login.
  14. Exchange Online can now authenticate the user and it will delete the shadow representation of the user.

, , , ,

No Comments

Building and Migrating to Exchange 2010 SP1 Cloud Services

Microsoft has released a bundle of useful documentation and scripts with guidance to service providers on how to build and/or migrating to Exchange 2010 SP1 in hosting mode. This bundle could also come in handy when you want to migrate to the new Office 365 Exchange Online This bundle can be downloaded here and it includes the following:


  • Building and Migrating to Exchange 2010 SP1 Cloud Services
  • Deploy OCS 2007 R2 onto Exchange 2010 SP1 Hosting
  • Exchange 2010 SP1 Hosting – Conceptual Architectures
  • Hosted WSS 3.0 to SharePoint Foundation 2010 Migration Guide
  • Overview – Building Microsoft Messaging and Collaboration Cloud Services


  • SampleExchangeMigrationScripts
    Script to Export user and group information to ADMT (Active Directory Migration Toolkit)
    Scripts to import Admin delegations, mail-enabled users, mail-enabled users contacts, mail-enabled users groups, SMTP domains etc. also prepare and move mailboxes.
  • SampleSharePointMigrationScripts

This document “Exchange 2010 SP1 Hosting – Conceptual Architectures” includes some examples on how to build the big environments, here is a diagram of the biggest business tier:


, , , ,

No Comments

Office 365 “Smart Links”

Yesterday I saw the following session from TechEd NA 2011: Microsoft Office 365: Identity and Access Solutions where Ross Adams also do a demo of what he called Office 365 “Smart Links”, which basically is a URL containing all the information to make a single sign-on to a Office 365 online resource. You can see the demo 42 min. in the session.

Microsoft have made a Knowledge Base article about this:

When a user authenticates to web-based Office 365 resources, the default behavior requires the user to enter his or her user principal name (UPN) at the prompt to trigger the home realm discovery process. If you need a completely transparent single sign-on experience from on-premises domain-joined computers, you can deploy and use customized URLs to bypass the home realm discovery prompt

To correctly customize URLs, see the following example custom URLs.
Note In the example URLs, replace by using the appropriate value of your Active Directory Federation Services (AD FS) 2.0 service endpoint.

  • To access the Microsoft Online Portal in Office 365, use one of the following URLs:
  • To access Microsoft SharePoint Online, use the following URL:
  • To access Microsoft Outlook Web App to connect to Microsoft Exchange Online, use the following URL:

, , ,

No Comments