Tag Archives: Microsoft Windows Azure

Technology

Self service password reset is not available for users on a trial Office 365 tenant

One of my customers is currently running an Office 365 pilot using a trial E3 tenant.  When Microsoft announced that self-service password reset is to be made available to cloud-based Office 365 users without the need for a separate Azure AD basic or premium subscription it sounded great to us as the requirement for users to reset their own passwords was one of the challenges we faced.  Unfortunately it’s not quite so simple – or at least not if you are not using a paid product (for example if you’re on an Office 365 trial).

Just to be clear, self-service password reset is still available for Global Administrators in Office 365 – it has been as long as I’ve been working with the product – I’m talking here about “normal” users.  In the Office 365 Admin Center, listed under Service Settings, Passwords is a section titled “let your people reset their own passwords” – but the feature is not actually controlled from within the Office 365 Admin Center – it redirects to the Azure AD Admin Center:

In my own tenant, that led to a simple sign-up for a $0 Azure subscription following which I can see my directory (remember Office 365 uses Azure AD for authentication), complete with all the domains and settings I configured via the Office 365 Admin Center over the years.  Dig a little deeper and in the configure screen is the ability to customise branding and to set the user password reset policy:

After enabling self-service password reset there are more options to control the experience (for example the available authentication methods) and a link to allow users to set up their details.  Unfortunately, none of this is available with a trial tenant and, when I tried to configure it, setting up an Azure subscription failed at the mobile verification stage and a service request raised with Microsoft Office 365 support confirmed that this is by design.

Technology

The relationship between Microsoft Office 365 and Azure

At a recent partner event, Microsoft Partner Technical Specialist, Robert-Jan Gerrits, answered a question that many people ask: does Office 365 run on Azure?

The short answer is “no” – the Office 365 infrastructure is dedicated – i.e. it’s not a bunch of VMs running on Azure; however there is a slightly longer answer.

Office 365 uses Azure for:

  • Office 365 video (media)
  • Azure blob storage (storage)
  • Azure AD for identity (identity)
  • Power BI app (cloud services)
  • Access services (storage)

Over time, we can expect to see more and more Office 365 components using Azure services but, for now, Office 365 is (almost) a standalone environment.

Technology

Microsoft #TechDays Online 2015

Last week, was Microsoft UK’s TechDays Online conference, held over three days with thousands of virtual attendees watching/listening to sessions on a variety of topics, starting off in the IT Pro arena with a keynote on Windows 10 from Journalist and Author Mary Jo Foley (@MaryJoFoley), Windows Server, on to Intune, Office 365, progressing to a variety of Azure topics, containerisation and DevOps with a keynote from Microsoft Distinguished Engineer Jeffrey Snover (@JSnover) and eventually into full developer mode with a keynote from Scott Hanselman (@SHanselman).

This is the fourth year that Microsoft has run these events and I was fortunate to be invited to watch the sessions being recorded.  I attended the first afternoon/evening and the second day – driving my Twitter followers mad with a Microsoft overload. For those who missed it, here’s a recap (unfortunately I couldn’t commit the time to cover the developer day):

(I later retweeted this:)

And we continue…

Actually, he didn’t – I later published this correction:

And back to my stream of Twitter consciousness:

Sadly, I missed Mary Jo Foley’s keynote (although I did manage to get over to Microsoft’s London offices on the second evening for a Live recording of the Windows Weekly podcast and caught up with Mary Jo after the event).

Sessions were recorded and I’ll update this post with video links when I have them.

Technology

Choosing an Office 365 identity model (when to use ADFS)

At the time of writing, Microsoft Office 365 has the ability to work with three identity models:

  • Cloud identity (stored in Microsoft Azure Active Directory).
  • Synchronised identity (a copy of the objects from an on-premises Active Directory is made in Microsoft Azure AD), optionally with synchronised password hashes.  This is also known as same sign on (not single sign on as there are still two separate objects, albeit two objects that are kept synchronised).
  • Federated identity, using a federation service (such as Active Directory Federation Services, but others are supported) to authenticate users in an on-premises directory following which authorisation can be granted to Office 365 resources. This is also known as single sign on.  In this instance, directory synchronisation is still used to populate the Azure AD with user objects, although authentication happens on-premises.

Whilst the majority of small businesses will be fine with cloud identities, many of my conversations with enterprise customers start off in the directory synchronisation space. Generally, synchronisation is performed using the Office 365 DirSync appliance (a customised version of Forefront Identity Manager) although, more recently a new tool (Azure AD Sync) has been released that will eventually replace DirSync.  At the time of writing the main difference is that Azure AD Sync supports multiple forests (DirSync is a single forest solution) but it doesn’t support password synchronisation (still a major advantage for DirSync).

In general, the approach I recommend is to choose the simplest model for the organisation’s needs. The cloud identity model can work well when there is no on-premises directory service or there is no requirement to integrate; synchronised identity is the most commonly used (assuming there is an existing Active Directory) but sometimes federation is required:

  1. If there is an existing ADFS infrastructure.
  2. If a third party federated ID provider is in use.
  3. If Forefront Identity Manager 2010 is in use (which does not support password synchronisation).
  4. If there are multiple on-premises Active Directory forests (although Azure AD sync may negate this requirement).
  5. If smart cards or other third-party multi-factor authentication solutions are in use (Azure AD does have an MFA capability, although there are some restrictions on its use).
  6. If custom hybrid apps or hybrid search are in use (SharePoint).
  7. If a hybrid Lync solution is in use (i.e. placing users with enterprise voice capabilities on premises and those that don’t need voice in Lync Online, sharing the same SIP namespace).
  8. For self-service password reset via a web service (only administrators have self-service password reset in Office 365).
  9. If there is a requirement to audit logins and/or immediately disable accounts.
  10. If there is a requirement for single sign-on (i.e. accessing Office 365 workloads with the same user credentials as on-premises).
  11. If there is a requirement to restrict client logins by time or location.
  12. If the organisational security policy prevents the synchronisation of password hashes to Azure AD.

On a related topic, the Microsoft Online Services Sign-in Assistant (MOSA) for IT Professionals only exists to simplify the user experience (handling tokens, etc.) and is generally not required with modern versions of Office. Administrators using PowerShell may still need it though.

Finally, if ADFS is down, there is no way for users to authenticate. For that reason, federated infrastructure needs to be highly available (e.g. multiple ADFS proxies and multiple ADFS servers).  One method that’s starting to be commonly recommended is an “ADFS safety net”, using DirSync as a fall back (it’s possible to move between identity models on demand) but obviously that’s only an option if your organisation’s security policy allows the synchronisation of identities (including password hashes to minimise the impact on end users).

For reference, the PowerShell commands are:

Convert-Msol-DomainToStandard -DomainName domainname.tld -SkipUserConversion $true
Convert-Msol-DomainToFederated -DomainName domainname.tld

Set-Msol-DomainAuthentication -Authentication Managed -DomainName domainname.tld
Convert-Msol-DomainToFederated -DomainName domainname.tld

Credit is due to Michel de Rooij (@mderooij) for the ADFS safety net tip.

Technology

Administering Office 365 using PowerShell: updated information on the required components

I’ve written before about administering Office 365 from PowerShell but the process has changed slightly over the years.  There are various articles out there on the web with methods and links but the key information (as at August 2014) is in a TechNet article titled Manage Azure AD using Windows PowerShell.  Yes, that’s right – Azure AD – because Windows Azure Active Directory is the authentication service used by Microsoft Online Services such as the Office 365 services.

On my Windows 8.1 computer I already had the necessary .NET framework and PowerShell pre-requisites but I did need to download and install two more components before Get-Command -Module msonline would do anything for me:

  1. The Microsoft Online Services Sign-In Assistant for IT Professionals RTW (the version I used was 7.250.4556.0, published on 17 February 2014).
  2. The Windows Azure AD Module for Windows PowerShell* (which depends on the Microsoft Online Service Sign-In Assistant), which doesn’t come up in a search on the Microsoft Downloads Center but is linked from the TechNet article I mentioned above (32-bit and 64-bit versions).

With these components installed, I could authenticate against the service using my normal credentials with Import-Module MSOnline and Connect-MsolService and run administration cmdlets from within PowerShell.  Note that in order to run Exchange cmdlets, you’ll need a remote PowerShell session to Exchange (check out Greg Shields’ TechNet magazine article Manage Office 365 with Windows PowerShell for more details). There are also additional modules for managing Lync Online and SharePoint Online.

 

* The Windows Azure Active Directory Module for Windows PowerShell cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets.

Technology

Short takes: hosts files; C#; Azure VMs; sleuthing around Exchange; closing Windows 8 apps; and managing tabs in Google Chrome

Another dump of my open browser tabs to the web…

Unable to edit hosts file in Windows

One of the tools (read Excel and lots of macros) that I use for financial forecasting said it couldn’t find a server.  Of course the network’s never broken – it must be the end users’s fault – so, faced with the prospect of telling an angry admin that there is a DNS mis-configuration, I decided to hack my hosts file instead…

Windows doesn’t make that easy (even as a local administrator) – so I ran Notepad as Administrator instead… being an old skool kind of command line guy it was an elevated cmd prompt  from Start, cmd, then shift and click (which dumps me into C:\Windows\System32), followed by the cd drivers/etc and notepad hosts commands.

What versions of C# are out there?

One thing I wanted to know whilst teaching myself to write in C# a few months back (i.e. to select a course that was up-to-date!) was which versions of C# are out there. Of course, Stack Overflow has the answer.

And, one day, I really must have a play with CShell, the open source C# read-eval-print-loop (REPL) IDE

What Microsoft server software is supported in an Azure VM?

Ever wondered what can be run up (and supported) in a Microsoft Azure VM? Quite a lot, but also some big omissions (Exchange, obviously) and some caveats (like no DHCP).  The formal list is in Microsoft knowledge base article 2721672.

Finding the Exchange Server that actually hosts my email

Exchange AutoDiscover means that, most of the time, end users don’t need to know where their email is – just the single address that lets the email client find the server – but several times recently I’ve found myself needing to know which server hosts my email.  One time I was diagnosing intermittent issues with out of office replies and access to colleagues’ calendars.  Another time I wanted to use PowerShell to list members of a distribution group programmatically (and later to rename a distribution group after the IT department said it wasn’t possible). Unfortunately, I didn’t have access to run PowerShell commands against our servers (but that’s probably a good thing)!

Anyway, it seems that the details I needed were available via Outlook Web Access:

  1. Logon to OWA
  2. Click options
  3. Click About
  4. And find the line that reads “Client access server name” – that’s your connection point.  There’s also a line for “Mailbox server name”.

I tested this with Exchange 2007.  It may vary for other releases and I haven’t checked.

By the way, a couple of links that looked hopeful for my distribution group issues (the ones I had to find another way to resolve):

Closing applications in Windows 8

Our family PC runs Windows 8.1 but, as my work PC runs Windows 7, I have to admit sometimes there are things I haven’t got used to.  One of those is closing full-screen apps.  I usually resort to Alt-F4 but if the kids have left the computer in touch format, then it seems that a simple top to bottom drag is what I need (there should also be a close button if I touch the top of the screen).

Managing tabs in Google Chrome

As I go through my work, I often come across things I’d like to go back to later, or leave side projects part-done, blog posts half-researched (and half-written), etc. Over time, they build up to hundreds of tabs and I my bookmarks folder is a plethora of In Progress yyyymmdd folders (another job to sort out one day).  It also means that, every now and again, my PC slows right down and I need to reboot because Google Chrome is using 14 gazillion GBs of RAM and a Flash plugin (probably serving ads on a website) has gone haywire again. Add Symantec EndPoint Prevention and BeCrypt DiskPrevent into the mix and a reboot could be a half-hour inconvenience.

Last night, I spent hours working through the various open tabs, closing some, pasting some to blog posts (this one… and others still work in progress) and I happened to post a little tweetette, to which Garry Martin (@GarryMartin) happened to respond:

Awesome indeed. Less than 5 seconds to install and the remaining handful of tabs are now under control.

Technology

Confusion over accounts used to access Microsoft’s online services

I recently bought a new computer, for family use (the Lenovo Flex 15 that I was whinging about the other week finally turned up). As it’s a new PC, it runs Windows 8 (since upgraded to 8.1) and I log in with my “Microsoft account”. All good so far.

I set up local accounts for the kids, with parental controls (if you don’t use Windows Family Safety, then I recommend you do! No need for meddling government firewalls at ISP level – all of the major operating systems have parental controls built in – we just need to be taught to use them…), then I decided that my wife also needed a “Microsoft account” so she could be registered as a parent to view the reports and over-ride settings as required.

Because my wife has an Office 365 mailbox, I thought she had a “Microsoft account” and I tried to use her Office 365 credentials. Nope… authentication error. It was only some time later (after quite a bit of frustration) that I realised that the “Organization account” used to access a Microsoft service like Office 365 is not the same as a “Microsoft account”. Mine had only worked because I have two accounts with the same username and password (naughty…) but they are actually two entirely separate identities. As far as I can make out, “organization accounts” use the Windows Azure Active Directory service whilst “Microsoft accounts” have their heritage in Microsoft Passport/Windows Live ID.

Tweeting my frustrations I heard back from a number of online contacts – including journalists and MVPs – and it seems to be widely accepted that Microsoft’s online authentication is a mess.

As Jamie Thomson (@JamieT) commented to Alex Simons (@Alex_A_Simons – the Programme Director for Windows Azure Active Directory), if only every “organization account” could have a corresponding “Microsoft account” auto-provisioned, life would be a lot, lot simpler.

Technology

Problems removing storage resources from Windows Azure virtual machines

Last year, I wrote about creating a virtual machine on Windows Azure, using the IaaS capabilities of the platform.  My free 90 day subscription is coming to an end so I needed to remove all resources before they become chargeable (running or otherwise). The problem was that, after the deleting the virtual machine, I couldn’t remove the storage because:

Storage account […] has 1 container(s) which have an active image and/or disk artifacts. Ensure those artifacts are removed from the image repository before deleting this storage account.

That wasn’t too helpful as I couldn’t find anything that looked like an “image repository” in the management console.  Thankfully I found the answer on StackOverflow.com:

“[…] even if you’ve already deleted all of your Virtual Machines and it shows 0; there still will be artifacts under the disks tab”

Technology

[Amazon’s] Reference architecture for utility computing

Earlier this week, I attended an Amazon Web Services (AWS) 101 briefing, delivered by Amazon UK’s Ryan Shuttleworth (@RyanAWS).  Although I’ve been watching the “Journey into the AWS cloud” series of webcasts too, it was a really worthwhile session and, when the videos are released to the web, well worth watching for an introduction to the AWS cloud.

One thing I particularly appreciate about Ryan’s presentations is that he approaches things from an architectural view. It’s a refreshing change from the evangelists I’ve met at other companies who generally market software by talking about features (maybe even with some design considerations/best practice or coding snippets) but rarely seem to mention reference architectures or architectural patterns.

During his presentation, Ryan presented a reference architecture for utility computing and, even though this version relates to AWS services, it’s a pretty good model for re-use (in fact, the beauty of such a  reference architecture is that the contents of each box could be swapped out for other components, without affecting the overall approach – maybe I should revisit this post and slot in the Windows Azure components!).

So, what’s in each of these boxes?

  • AWS global infrastructure: consists of regions to collate facilities, with availability zones that are physically separated, and edge locations (e.g. for content distribution).
  • Networking: Amazon provides Direct Connect (dedicated connection to AWS cloud) to integrate with existing assets over VPN Connections and Virtual Private Clouds (your own slice of networking inside EC2), together with Route 53 (a highly available and scalable global DNS service).
  • Compute: Amazon’s Elastic Compute Cloud (EC2) allows for the creation of instances (Linux or Windows) to use as you like, based on a range of instance types, with different pricing – to scale up and down, even auto-scalingElastic Load Balancing  allows the distribution of EC2 workloads across instances in multiple availability zones.
  • Storage: Simple Storage Service (S3) is the main storage service (Dropbox, Spotify and others runs in this) – designed for write once read many applications.  Elastic Block Store (EBS) can be used to provide persistent storage behind an EC2 instance (e.g. boot volume) and supports snapshotting, replicated within an availability zone (so no need to RAID). There’s also Glacier for long term archival of data, AWS Import/Export for bulk uploads/downloads to/from AWS and the AWS Storage Gateway to connect on-premises and cloud-based storage.
  • Databases: Amazon’s Relational Database Service (RDS) provides database as a service capabilities (MySQL, Oracle, or Microsoft SQL Server). There’s also DynamoDB – a provisioned throughput NoSQL database for fast, predictable performance (fully distributed and fault tolerant) and SimpleDB for smaller NoSQL datasets.
  • Application services: Simple Queue Service (SQS) for reliable, scalable, messages queuing for application decoupling); Simple Workflow Service (SWF) to coordinate processing steps across applications and to integrate AWS and non-AWS resources, to manage distributed states in complex systems; CloudSearch – an elastic search engine based on Amazon’s A9 technology to provide auto-scaling and a sophisticated feature set (equivalent to SOLR); CloudFront for a worldwide content delivery network (CDN), to easily distribute content to end users with a single DNS CNAME.
  • Deployment and admin: Elastic Beanstalk allows one click deployment from Eclipse, Visual Studio and Git  for rapid deployment of applications with all AWS resources auto-created; CloudFormation is a scripting framework for AWS resource creation that automates stack creation in a repeatable way. There’s also Identity and Access Management (IAM), software development kits, Simple Email Service (SES), Simple Notification Service (SNS), ElastiCache, Elastic MapReduce, and  the CloudWatch monitoring framework.

I suppose if I were to re-draw Ryan’s reference architecture, I’d include support (AWS Support) as well some payment/billing services (after all, this doesn’t come for free) and the AWS Marketplace to find and start using software applications on the AWS cloud.

One more point: security and compliance (security and service management are not shown as they are effectively layers that run through all of the components in the architecture) – if you implement this model in the cloud, who is responsible? Well, if you contract with Amazon, they are responsible for the AWS global infrastructure and foundation services (compute, storage, database, networking). Everything on top of that (the customisable parts) are up to the customer to secure.  Other providers may take a different approach.

Technology

Creating new endpoints to open up access to Windows Azure virtual machines

In my recent posts on creating a virtual machine on Windows Azure and connecting to a Windows computer running on Windows Azure, I mentioned endpoints but didn’t explain the process for creating new ones, i.e. opening up new ports for Internet access:

The RemoteDesktop endpoint shown above was created automatically when my virtual machine was provisioned but it may also be necessary to create new endpoints, for example allowing HTTP access over TCP port 80, HTTPS over TCP 443, etc.

To create a new endpoint, open up the virtual machine in the Windows Azure management console, then select Endpoints and click the Add Endpoint button at the bottom of the screen.  When creating endpoints, a new endpoint can be established or, if one already exists, this may be selected to load balance between multiple virtual machines. I only have a single virtual machine and so I selected add endpoint:

At this point, specify a name (HTTP would have been a better name than the one I used in the example below), select a protocol, and chose the port numbers:

The endpoint will then be created and the virtual machine will be accessible using the chosen protocol and port numbers:

To test the connection, I connected to my virtual machine over RDP and configured Windows Server roles/features in Server Manager (I installed IIS, just to prove that the machine was Internet-connected – but the server could be running any workload). Then, I connected to my virtual machine’s public DNS using a web browser (I could also have used the public virtual IP address shown in the dashboard for the virtual machine):

 

%d bloggers like this: