Just saw this important blog issue from Microsoft.
On April the 15th Microsoft is renewing the TLS Certificate used by Office 365.
This means that hybrid mail flow may be broken for users who do not take appropriate action.
This fix is quite simple. All on-prem servers used for hybrid need to be updated to Exchange 2013 CU9 or later and the Exchange hybrid wizard needs to be run again.
You can find the latest version of the hybrid wizard over here
You can find the full Microsoft blog regarding this issue over here
If you remember I blogged a few months ago that Microsoft would be releasing Azure AD Connect, the final replacement for Dirsync.
Well, the product is now out of review and has been released. Along with the release of Azure AD connect Microsoft also released Connect Health.
Azure AD Connect Health is a cloud based service that helps administrators monitor and secure their cloud and on-premises identity infrastructure. In this first release, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.
As I previously blogged Azure AD Connect replaces both Dirsync and Azure Active Directory Sync. If you our using either of the previous versions, you can perform a simple upgrade to the new Azure AD Connect.
Azure AD Connect has new features that allow you too:
- Enable your users to perform self-service password reset in the cloud with write-back to on premises AD
- Enable provisioning from the cloud with user write back to on premises AD
- Enable write back of “Groups in Office 365” to on premises distribution groups in a forest with Exchange
- Enable device write back so that your on-premises access control policies enforced by ADFS can recognize devices that registered with Azure AD. This includes the recently announced support for Azure AD Join in Windows 10.
- Sync custom directory attributes to your Azure Active Directory tenant and consume it from your cloud applications
All this allows easy transition of your services to the cloud. and easy integration of remote work force into you organization.
When configuring a hybrid setup of Exchange with Office 3656 a Https connection between office 365 and Exchange needs to be established. usually this will be the same configuration used for RPC over https (Outlook Anywhere). Now a lot of customers use a TMG server located in their DMZ to secure outlook anywhere. Now if you have a TMG server set up as a reverse proxy for your Exchange outlook anywhere and TMG is also performing authentication for the session, the hybrid setup is going to fail. You’ll receive an error stating that office 365 can not find the MRS endpoint connection at the supplied URL.
Well you could disable authentication for the Outlook Anywhere rule. This will work though of course there is slight trade-off in security.
What I would recommend is creating a 2nd rule for publishing outlook anywhere and placing it above the existing rule. Now we need to make two changes to the rule. The first is to disable authentication by choosing All Users instead of Authenticated Users
The second change is to just publish the two paths required for office 365 Hybrid. They are the Autodiscover and the EWS directories.
Adding this rule with these two changes will allow for a successful setup of office 365 hybrid with your Exchange server.
For those that haven’t heard yet the next version of Lync is going to be known as Skype For business. It will have the same functionality as Lync but use the more familiar Skype interface making it easier for users who already use and love Skype to use Lync.
Microsoft have just announced that Lync Online will be upgraded to Skype for business in 90 days time.
Basically allowing us to enjoy all the benefits of Lync with the interface of Skype. And of course allowing for full chat and video conference between Skype For Business and regular Skype users.
Recently I’ve been performing quite a few projects based on Microsoft Azure & Office 365. Now most of these projects are hybrid configurations. This means that they include both cloud and on premises solutions that are connected to each other.
Now the foundation of these projects is DirSync (Not to be confused with DirSync Pro – A file synchronisation tool). DirSync is the tool that synchronizes your Active Directory with both Office365/Azure directory services. In its first release DirSync would only sync Users and group names and attributes, it did not synchronise passwords or provide a single sign on experience (meaning that even if your computer was domain joined you would still be required to type in a password when using Outlook to connect to office 365 for example). To Achieve these capabilities you were required to set up an Active Directory Federation between you on premises AD and Azure/Office 365 Cloud. To do this in both a secure and resilient manner would require 4 servers, 2 in the lan and 2 in the DMZ. This number would also be multiplied by the number of Active Directory sites your organization has. Using Active Directory Federation would also allow you to sync passwords back to your on premises Active Directory basically allowing password changes to be performed in the cloud.
Another major drawback was that it was only possible to synchronise a single AD domain with your cloud tenant. So if you had a multiple domain environment you would require multiple tenants in the cloud.
In its current version DirSync also synchronizes passwords to the cloud. Although neither password write back or SSO are supported. This for most companies is sufficient and most companies do not feel the need to implement ADFS for cloud services.
Now over the last few months a few additional tools have been released to beta including Azure AD connect & Azure AD Sync. These tools added password sync back and automatic set up of ADFS. but thing got a bit confusing. Now Microsoft has just released (beta at the moment) Azure AD connect. A single tool that when released to GA will replace all former tools with all features rolled up into a single package. The new tool includes support for Password Sync, Password Write back, multiple domain support and all with 4 simple clicks. You can also use Azure AD Connect to perform SSO with other external services such as Salesforce, Box & more
Small note – Azure AD is a cloud service based in Azure. The service is free of charge with limited capabilities there is an option of purchasing basic & premium plans. You can find the feature comparison list here.