Important Notice For All Office 365 Hybrid Environments

Just saw this important blog issue from Microsoft.

On April the 15th Microsoft is renewing the TLS Certificate used by Office 365.

This means that hybrid mail flow may be broken for users who do not take appropriate action.

This fix is quite simple. All on-prem servers used for hybrid  need to be updated to Exchange 2013 CU9 or later and the Exchange hybrid wizard needs to be run again.

You can find the latest version of the hybrid wizard over here

You can find the full Microsoft blog regarding this issue over here


How To Manage Scheduler in new Azure AD Connect

As I mentioned last week the new version of Azure AD Connect has been released and now includes a built in scheduler. This means that it no longer relies on the Windows Task Scheduler to run synchronization jobs. While this is defiantly an improvement it does mean that you can no longer use the Windows task scheduler to manually run a job. That is now all down to PowerShell, so after tinkering around a bit I decided to list some of the most required commands for running jobs.

Fist of all after initial installation there is a Check box to start the initial sync after installation. If you do not check this box the sync will never run until a correct command is issued.Start Sync

To check if Sync is enabled or not we need to run the following command Get-ADSyncScheduler

Check Sync

In my case you can see that SyncCycleEnabled is set to true. However if it set to false then the client is not performing any syncs.
To enable the Sync cycle you will need to issue the following command Set-ADSyncScheduler -SyncCycleEnabled $True
The sync will be run automatically once every 30 minutes.

To manually kick off a sync cycle we will need to issue one of the following commands.

Start-ADSyncSyncCycle -PolicyType Delta

A delta sync cycle will:

  • Delta import on all connectors
  • Delta sync on all connectors
  • Export on all connectors

This is the command that you will usally use to run a manuall sync.

You could also run a full cycle by issuing the following command
Start-ADSyncSyncCycle -PolicyType Initial

An initial sync cycle will

  • Full import on all connectors
  • Full sync on all connectors
  • Export on all connectors

You mainly want to issue this command if you have made one of the following changes:

  • Added more objects or attributes to be imported from a source directory
  • Made changes to the Synchronization rules
  • Changed filtering so a different number of objects should be included

If for some reason you need to stop the Sync Scheduler then you can issue the following command Stop-ADSyncSyncCycle

So now that you know the commands you can go ahead and update to the latest version of Azure AD Connect.





Office 365 Hybrid deployment with TMG server

When configuring a hybrid setup of Exchange with Office 3656 a Https connection between office 365 and Exchange needs to be established. usually this will be the same configuration used for RPC over https (Outlook Anywhere). Now a lot of customers use a TMG server located in their DMZ to secure outlook anywhere. Now if you have a TMG server set up as a reverse proxy for your Exchange outlook anywhere and TMG is also performing authentication for the session, the hybrid setup is going to fail. You’ll receive an error stating that office 365 can not find the MRS endpoint connection at the supplied URL.

The solution?

Well you could disable authentication for the Outlook Anywhere rule. This will work though of course there is slight trade-off in security.

What I would recommend is creating a 2nd rule for publishing  outlook anywhere and placing it above the existing rule. Now we need to make two changes to the rule. The first is to disable authentication by choosing All Users instead of Authenticated Users

All Users

The second change is to just publish the two paths required for office 365 Hybrid. They are the Autodiscover and the EWS directories.


Adding this rule with these two changes will allow for a successful setup of office 365 hybrid with your Exchange server.


Azure AD Connect to replace Dirsync and simplify Cloud identity managment

Recently I’ve been performing quite a few projects based on Microsoft Azure & Office 365. Now most of these projects are hybrid configurations. This means that they include both cloud and on premises solutions that are connected to each other.

Now the foundation of these projects is DirSync (Not to be confused with DirSync Pro – A file synchronisation tool). DirSync is the tool that synchronizes your Active Directory with both Office365/Azure directory services. In its first release DirSync would only sync Users and group names and attributes, it did not synchronise passwords or provide a single sign on experience (meaning that even if your computer was domain joined you would still be required to type in a password when using Outlook to connect to office 365 for example). To Achieve these capabilities you were required to set up an Active Directory Federation between you on premises AD and Azure/Office 365 Cloud. To do this in both a secure and resilient manner would require 4 servers, 2 in the lan and 2 in the DMZ. This number would also be multiplied by the number of Active Directory sites your organization has.  Using Active Directory Federation would also allow you to sync passwords back to your on premises Active Directory basically allowing password changes to be performed in the cloud.

Another major drawback was that it was only possible to synchronise a single AD domain with your cloud tenant. So if you had a multiple domain environment you would require multiple tenants in the cloud.

In its current version DirSync also synchronizes passwords to the cloud. Although neither password write back or SSO are supported. This for most companies is sufficient and most companies do not feel the need to implement ADFS for cloud services.

Now over the last few months a few additional tools have been released to beta including Azure AD connect & Azure AD Sync. These tools added password sync back and automatic set up of ADFS. but thing got a bit confusing. Now Microsoft has just released (beta at the moment) Azure AD connect. A single tool that when released to GA will replace all former tools with all features rolled up into a single package. The new tool includes support for Password Sync, Password Write back, multiple domain support and all with 4 simple clicks. You can also use Azure AD Connect to perform SSO with other external services such as Salesforce, Box & more

Small note – Azure AD is a cloud service based in Azure. The service is free of charge with limited capabilities there is an option of purchasing basic & premium plans. You can find the feature comparison list here.