ADMX Backed – The Office Case

This case come from one of my customer, they followed the Chrome example available at code.vmware.com, but didn’t seems to work correctly for the Office ADMX available from Microsoft, as the profile said “Install Failed”.

Step 1 – Reproduce

Created a custom XML in the console in this format :

<Add>
 <CmdID>2</CmdID>
 <Item>
  <Target>
   <LocURI>./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OfficeADMX/Policy/Office16</LocURI>
  </Target>
  <Data>{AMDX DATA HERE converted from <value> to &lt;value&gt; }</Data>
 </Item>
</Add>

Continue reading

How to check the Immutable ID/Source Anchor

This article expains how to check which attribute is used as the source anchor for the synchronization between Active Directory and Azure Active Directory.

PowerShell

0 – Install necessary PowerShell Modules, if needed.

Install-Module MSOnline
Import-Module MSOnline

1 – Get User Immutable ID from Azure.

Connect-MSOLService
Get-MsolUser -UserPrincipalName user@domain.tld | select ImmutableID

Continue reading

ADFS Authentication with Office 365

  1. User go to an Office 365 url
  2. User is redirected to Microsoft Federation Gateway (login.microsoftonline.com)
  3. User enter his UPN
  4. UPN is recognized by the MFG as a federated domain
  5. User is redirected to the ADFS Server
  6. User use his Kerberos TGT (Ticket Granted Ticket) ticket to authenticate
  7. ADFS send the TGT ticket to the domain controller
  8. ADFS receive a Service Ticket telling who is the user
  9. ADFS use the Service Ticket to query Active Directory for user attribute (UPN, First Name, Last Name, etc.)
  10.  ADFS build a SAML token with user attribute
  11. ADFS server post this SAML token via User browser to MFG
  12. MFG verifies the SAML token signature to validate that is the right ADFS server
  13. MFG create his own SAML token (UPN is inside)
  14. The MFG SMLA token is post back to Office 365 platform using the user browser
  15. Office 365 look for an account with the user UPN

Office 365 – Lync User Migration – Move-CsUser : Exception of type ‘Microsoft.Rtc.Management.AD.Helpers.RollbackException’ was thrown

When you migrate a Lync 2013 user to Office 365, an error can occur in the following scenario :

  1. UCS is enabled, by default on Lync 2013 when you have exchange 2013 : https://technet.microsoft.com/en-us/library/jj204963.aspx (Not Supported on Exchange 2010)
  2. You have migrated the user mailbox to the cloud

When you type this command:
Move-CsUser -Identity <user@upn.tld> -Target sipfed.online.lync.com -Credential (Get-Credential) -HostedMigrationOverrideUrl https://admin.online.lync.com/HostedMigration/hostedmigrationservice.svc
You will have the following error:
Move-CsUser : Exception of type ‘Microsoft.Rtc.Management.AD.Helpers.RollbackException’ was thrown


The easy way to avoid this error is to move the Lync part before the user mailbox.

The other way is to force the migration which can cause data loss with the –Force option Continue reading