Short takes: Unicode characters in Windows; OS X Remote Disc goes AWOL

More micro-posts from the collection of open tabs in my browser…

Unicode characters in Windows

Sometimes, when tweeting, it’s useful to be able to type the unicode horizontal ellipsis (…) rather than three full stops (…). It might look similar, but that’s two less characters out of 140.  I remember back in early days of Windows I could enter special characters using the numeric keypad but it seems that still works (sort of): FireFormat.Info has some useful information on entering Unicode characters in Microsoft Windows.

Mac OS X Remote Disc goes AWOL whilst installing Adobe Lightroom

My new Mac Mini doesn’t have an optical drive. That’s not generally a problem except I needed to install Lightroom on it, so I used OS X’s Remote Disc technology to share the DVD drive from my old MacBook across the network.  The software installation was progressing nicely until, right at the end, the Adobe installer wanted me to insert the disc! As I was already connected to a logical disc, I had no way forward but to abandon the installation, connect a USB DVD drive and try again.  Seems it’s not the universal solution to accessing optical media that I had hoped…

To add insult to injury, I then found (thanks to the Lightroom Queen) that the Lightroom downloads on the Adobe website are the full programme, so I could have downloaded the software and installed it locally – all I really needed was my license key!

Choosing an Office 365 identity model (when to use ADFS)

At the time of writing, Microsoft Office 365 has the ability to work with three identity models:

  • Cloud identity (stored in Microsoft Azure Active Directory).
  • Synchronised identity (a copy of the objects from an on-premises Active Directory is made in Microsoft Azure AD), optionally with synchronised password hashes.  This is also known as same sign on (not single sign on as there are still two separate objects, albeit two objects that are kept synchronised).
  • Federated identity, using a federation service (such as Active Directory Federation Services, but others are supported) to authenticate users in an on-premises directory following which authorisation can be granted to Office 365 resources. This is also known as single sign on.  In this instance, directory synchronisation is still used to populate the Azure AD with user objects, although authentication happens on-premises.

Whilst the majority of small businesses will be fine with cloud identities, many of my conversations with enterprise customers start off in the directory synchronisation space. Generally, synchronisation is performed using the Office 365 DirSync appliance (a customised version of Forefront Identity Manager) although, more recently a new tool (Azure AD Sync) has been released that will eventually replace DirSync.  At the time of writing the main difference is that Azure AD Sync supports multiple forests (DirSync is a single forest solution) but it doesn’t support password synchronisation (still a major advantage for DirSync).

In general, the approach I recommend is to choose the simplest model for the organisation’s needs. The cloud identity model can work well when there is no on-premises directory service or there is no requirement to integrate; synchronised identity is the most commonly used (assuming there is an existing Active Directory) but sometimes federation is required:

  1. If there is an existing ADFS infrastructure.
  2. If a third party federated ID provider is in use.
  3. If Forefront Identity Manager 2010 is in use (which does not support password synchronisation).
  4. If there are multiple on-premises Active Directory forests (although Azure AD sync may negate this requirement).
  5. If smart cards or other third-party multi-factor authentication solutions are in use (Azure AD does have an MFA capability, although there are some restrictions on its use).
  6. If custom hybrid apps or hybrid search are in use (SharePoint).
  7. If a hybrid Lync solution is in use (i.e. placing users with enterprise voice capabilities on premises and those that don’t need voice in Lync Online, sharing the same SIP namespace).
  8. For self-service password reset via a web service (only administrators have self-service password reset in Office 365).
  9. If there is a requirement to audit logins and/or immediately disable accounts.
  10. If there is a requirement for single sign-on (i.e. accessing Office 365 workloads with the same user credentials as on-premises).
  11. If there is a requirement to restrict client logins by time or location.
  12. If the organisational security policy prevents the synchronisation of password hashes to Azure AD.

On a related topic, the Microsoft Online Services Sign-in Assistant (MOSA) for IT Professionals only exists to simplify the user experience (handling tokens, etc.) and is generally not required with modern versions of Office. Administrators using PowerShell may still need it though.

Finally, if ADFS is down, there is no way for users to authenticate. For that reason, federated infrastructure needs to be highly available (e.g. multiple ADFS proxies and multiple ADFS servers).  One method that’s starting to be commonly recommended is an “ADFS safety net”, using DirSync as a fall back (it’s possible to move between identity models on demand) but obviously that’s only an option if your organisation’s security policy allows the synchronisation of identities (including password hashes to minimise the impact on end users).

For reference, the PowerShell commands are:

Convert-Msol-DomainToStandard -DomainName domainname.tld -SkipUserConversion $true
Convert-Msol-DomainToFederated -DomainName domainname.tld

Set-Msol-DomainAuthentication -Authentication Managed -DomainName domainname.tld
Convert-Msol-DomainToFederated -DomainName domainname.tld

Credit is due to Michel de Rooij (@mderooij) for the ADFS safety net tip.

My new Office 365 Resource Centre

I’ve been doing a fair amount of work with Office 365 in recent months (including passing certification exams) and, along the way, I’ve found a lot of snippets of useful information. Normally I’d write a blog post but I expect to be constantly adding to the information so I thought I’d create a different solution this time.

So, I’ve started to create what’s currently known as Mark’s Office 365 Resource Centre. It’s work in progress – and I’m sure the structure will change as it grows over time – but at least I’ve found something to do with the public website on my Office 365 subscription!

Déjà vu: buying and upgrading another Mac Mini

Eight years ago, I was writing blog posts about buying a Mac Mini and upgrading its inner workings. Then, last weekend, I bought a new one.  Well, actually I bought the outgoing model at a knock-down price, thanks to a tip-off from Dom Allen (@ca95014).  A 2.3GHz Core i7 late-2012 model should happily replace my aging MacBook and, unlike the late-2014 model that Apple recently announced, it has upgradable RAM (up to 16GB) rather than memory integrated on the main logic board (I believe the term is planned obsolescence and I find it deeply cynical…).

As usual, I bought my memory from Crucial but, whilst I was waiting for it to arrive, I introduced my eldest son to the Apple unboxing experience…

The memory turned up a day or so later and now I’m in the process of transferring all of my images and photo-editing software to the new Mac… I’m sure there will be more posts to follow on that experience.

With some more hard disk space and a faster Mac, maybe I’ll start taking more pictures (lost my “photo mojo” of late, although I did grab a few shots when I went to watch the Revolution Series track cycling a couple of weeks ago).