(2016-01-19) Free AD Tool For The IT Pro (4)

While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

–

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

–

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

• Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
• Copy existing Active Directory User to Z-Hire Template
• Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
• Template based deployment (allows consistency for all user accounts)
• Office 365 account creation with major attributes
• Office 365 license only mode (assign license only, when using DirSync)
• Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
• Active Directory user account creation with major attributes
• Active Directory group selection
• Active Directory user duplicate SamAccountName verification
• Lync 2010 account creation supporting all policies
• SalesForce user creation support all major attributes
• Faster performance (compared to previous version)
• Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
• HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
• HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

–

Click HERE for more information

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or Windows Intune

The following resources can help you troubleshoot with SSO issues:

• Troubleshoot single sign-on setup issues in Office 365, Windows Intune, or Azure
• Signing in to Office 365, Azure, or Windows Intune by using single sign-on doesn’t work from some devices
• Office 365 & Single Sign-On: How to Handle Different UserPrincipalName (UPN) Values
• You can’t sign in to Office 365, Azure, or Windows Intune
• Office 365 Identity Federation Debug Tool
• (2014-09-29) Default Claims Rules In ADFS To Support SSO Through Federation With Azure AD/Office 365
• (2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Office 365

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-10-01) TroubleShooting Federation/SSO To Windows Azure AD And Office 365

When setting up DirSync And Federation between your on-premise AD and Windows Azure AD to support identity sync and SSO, the most important attribute to make sure everything works are the immutableID and the userPrincipalName.

–

Paul Williams from msresource.net has written a great number of blog posts about this, touching all kinds of related stuff. See the following blog posts:

• Multi-forest SSO to O365: implementing multiple immutable IDs
• Windows Azure Active Directory Connector part 1: when, where and why
• Windows Azure Active Directory Connector part 2: multi-forest directory synchronization
• Windows Azure Active Directory Connector part 3: immutable ID 
• Implementing Exchange Online with an existing on-premises identity management solution that provisions mailboxes

–

With regards to the implementation I used the string version of the objectGUID (AD) as the immutableID (sourceAnchor in AAD)) and the UPN as the userPrincipalName (AAD). I achieved that by leveraging FIM with the AAD connector. Because of that I also had to implement slighty different claims rules in ADFS for Azure AD/Office 365. The rules in my ADFS v2.0 looked like:

@RuleName = "Identity Claims – objectGUID (Base64) To objectGUID (String)"
c:[Type == "http://temp.org/identity/claims/adObjectGuidBase64org"]
=> add(store = "String Processing Store", types = ("http://temp.org/identity/claims/adObjectGuidString"), query = "fromBase64GuidtoStringGuid", param = c.Value);

@RuleName = "Identity Claims – upn To UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/claims/UPN", Value = c.Value);

@RuleName = "Identity Claims – objectGUID (String) To ImmutableID"
c:[Type == "http://temp.org/identity/claims/adObjectGuidString"]
=> issue(Type = "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

@RuleName = "Identity Claims – ImmutableID To Name ID"
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

–

I swear everything was working, until some day I started to get the following errors:

….when navigating to: https://outlook.office365.com/owa/

Figure 1: Error When Using Federated Logon And Navigating To Office 365 Portal

–

….when navigating to: https://manage.windowsazure.com/default.aspx

Figure 2: Error When Using Federated Logon And Navigating To Azure AD Management Portal

–

….when navigating to: https://portal.office.com/

Figure 3: Error When Using Federated Logon And Navigating To Office 365 Management Portal

–

By giving the correlation ID to someone at Microsoft that is able to check it in the system logs, they most likely will be able to tell you what would be wrong. In this case unfortunately I as not able to do that. The logs on my system did not given me any clue!

As I have another ADFS v3.0 system in my environment, I therefore decided to configure that ADFS instance with all default values for DirSync and federation. After configuring all this, I was able to access Azure AD and Office 365 through federated logon on my ADFS v3.0 box, but still not on my ADFS v2.0.

–

After comparing the federation trusts between  ADFS v2.0 and Azure AD, and between ADFS v3.0 and Azure AD I saw the following difference:

Figure 4: Signature Hash Algorithm On The RP Trust On ADFS v3.0 For Azure AD/Office 365 (Default Config) – WORKING

–

Figure 5: Signature Hash Algorithm On The RP Trust On ADFS v2.0 For Azure AD/Office 365 (Custom Config) – NOT WORKING

–

For whatever reason, in the past I had changed the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 AND I had forgotten about it. It took me some time to find this one, but by just changing the signature hash algorithm on the RP Trust On ADFS v2.0 For Azure AD/Office 365 from SHA-256 to SHA-1, everything started to work again! Yiiihhaaaaaa!

–

PS: this has NOTHING to do between the usage of ADFS v2.0 and ADFS v3.0. This was a configuration mistaken I made when playing around in the test/demo environment

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-03-21) GALSync, DIRSync And SSO With Office 365 Blog Posts From MSResource.NET

Paul Williams from MSResource.net has done an excellent job on writing about several topics regarding FIM and ADFS related to Office 365. Find those interesting blog posts below

• GALSync and DirSync in harmony
• Changes to hybrid write-back export attribute flow in FIM-based directory synchronization solutions
• Windows Azure Active Directory Connector part 1: when, where and why
• Windows Azure Active Directory Connector part 2: multi-forest directory synchronization
• Windows Azure Active Directory Connector part 3: immutable ID
• Multi-forest SSO to O365: implementing multiple immutable IDs

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-01-03) Missing E-mails In Outlook 2013 With Office 365 Or Outlook.com

Are you using Office 365 or Outlook.com and do you see a difference in the number of e-mails when using the web based version compared to when using Outlook 2013? Or are you able to find an e-mail using the web based version, but not in Outlook? If yes, have a look at the following thread. This is more than a year old and until now, besides promises, no solutions yet.

http://social.technet.microsoft.com/Forums/office/en-US/ecbde6d4-614d-476c-a5f3-490b183b4d66/outlook-2013-missing-email-in-inbox-compared-to-outlookcom

–

It is so annoying waiting for an e-mail, having received it, but not knowing about it.

–

MSFT, PLEASE FIX THIS!!!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————