What if you could use delegates & OU’s in Windows Azure Active Directory?

Windows Azure Active Directory (a.k.a. WAAD) – the identity system behind Office 365, Windows Intune, … and a lot of other systems, since WAAD can be used in all kinds of websites, web applications, … – is not really an Active Directory (a.k.a. AD) as we know it. There are a lot of features that AD has that we don’t find in WAAD, e.g. the use of Organizational Units (a.k.a. OU), the use of Group Policies Objects (a.k.a. GPO), … So in these case the name WAAD can be misleading to the people who know the functionalities of AD. One of functionalities I miss a lot delegates combined with OUs.

Office 365 management

When using Office 365 in large enterprises or edu-facilities the management isn´t trivial.
Office 365 offers a role based administration within the web portal. That´s easy but does not provide tuning for example for branch offices, departements or any organizational units.

Real world scenarios demand an easy management for delegated administration!

For example a head of department in a branch office shall be able to administer only his employees and co-workers – and not all colleagues in the whole organization!

Delegate 365

That´s where Delegate365 comes in. Delegate 365 is an easy-to-use, web-based portal for delegated user and license management in Microsoft Office 365 and Windows Azure Active Directory.

Instead of using standard roles portal administrators can define any number of organizational units and who shall administer a unit and what licenses a unit can use. See http://delegate365.com/ for more information.

The business administrators can manage their own users and create their own global distribution lists as well. So Delegate365 simplifies all this tasks and works as new standard portal with advanced management features.


Delegate 365 is for…

Typical customers of Delegate365 are larger businesses, companies with some departments or locations, franchisers, educational facilities, schooling, clubs, associations and every group who uses Microsoft Office 365™ and wants to use delegated administrators for managing only their own units.

There are a lot of scenarios where the delegation of user management makes sense. IT-departments can be relieved, central administration only needs to define the business managers and the organizational units. From that on, the administrators can manage their own units in an easy-to-use web-portal: Delegate365


Organizational Units

… are the soul of management in Delegate365. The portal administrator defines any number of organizational units (OU) to create individual groups within the portal administration. Each administrator belongs to one or more OU´s. All objects belong to one OU.

With Delegate 365 you get an easy-to-use hierarchy where it´s strictly defined who can administer which users, domains and licenses.


Depending on the role the administrator can manage his own users, licences, groups and distribution groups as well as import users into his OU.


Self registering for EDU

Often companies and facilities do not offer an user self registration because the effort for creating and maintaining such a web platform with the necessary business logic as well as the payment system is relevant.

Delegate 365 also fills that gap and offers an ordering module for users who want to benefit from the (free) features of Microsoft Office 365!

Users can self-register for an Office 365 license within an organization. The validation of the registered user can be done automatically against a database – for example a central student database – or can be done manually, for example if the user provides a scanned picture of his student identity with his application.

Since beginning of december Microsoft Office 365 Student Advantage is available for educational facilities like schools and universities. With Student Advantage participating schools get free access to Microsoft Office 365 as long as the schools license Office 365 ProPlus or Office Professional Plus for their faculty members. A great deal to get the Office 365 licenses – for free!


Check out the offer here!

It doesn´t end here!

Delegate 365 offers secure webservices for other systems to connect with. With these APIs user provisioning can be enforced by schedules tasks or other services.

Reports provide quick overviews and help administrators to manage users and licences efficiently.

With these Delegate 365-functions enterprises and educational facilities can simplify tasks for user provisioning and managing. Come on and benefit form the easy-to-use delegation-portal!

Contact http://delegate365.com/

Office 365: move domain from tenant to tenant

If you play around with test domains and test tenants, it might be hassle to keep track of which domain is connected to what tenant. Until recent, you just didn’t know. Today I was playing with one of my test tenants again and I wanted to connect a domain to a new tenant. I knew this domain was already used and I feared that a support call was necessary to release this domain. BUT since there are a lot of changes made in the last few week to Office 365, I have new motto, try first, you never know they changed something.

Guess what, they changed something and I got the tenant name where my test domain was connected to … another happy camper.



So you go in your tenant and you try to delete your domain. If your domain is still used as a part of a upn or as a sip address you might have to do some deleting or rename users. If you delete users, make sure to delete them from the recycle bin as well.

To Change the UPN to a <tenant>.onmicrosoft.com


Get-MsolUser | Where { -Not $_.UserPrincipalName.ToLower().StartsWith(“admin@”) } | ForEach { Set-MsolUserPrincipalName -ObjectId $_.ObjectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@<tenant>.onmicrosoft.com”) }


To remove users

Get-MsolUser | Where { $_.UserPrincipalName.ToLower().EndsWith(“@contoso.com”) } | Remove-MsolUser

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force

UPN’s in a Hybrid environment

In a hybrid environment the attribute that defines your logon name for  Office 365 is the Active Directory User Principal Name. It is good practice to set the AD UPN to match the users primary SMTP address. This means that the users primary SMTP, Office 365 Logon Name and Lync SIP address (which is derived from the UPN) will be a single identity. Making it easier for users as they just have to remember one address.

In some cases a user may fall through the net and end up with a Office 365 logon name and Lync address that does not match their primary SMTP address. In these instances it is possible to change the UPN but there are consequences. UPN changes can take up to 24 hours and it involves the old Lync account being removed and a new one created. This means any Lync meeting’s need to be rescheduled, Lync contacts must be recreated and any external contacts need to be notified of your new Lync address. Usually this is not a major issue if the person has just been migrated.

In an Office 365 hybrid environment, DirSync is deployed to synchronise Active Directory objects. You can continue to edit and manage user information as before with your on-premise Active Directory. However once a user has been licensed the UPN value can not be changed by updating your AD for the obvious knock-on effects to access to the service and Lync. So, the UPN can be changed in two ways either from the Office 365 Admin Center or PowerShell.

Office 365 Admin Center

  • Logon and select Users and Groups
  • Search for the relevant user
  • Change the DNS suffix to the required domain


When you make the change you will be prompted with this rather useful reminder:


You will notice that you can only change the DNS suffix using the Office 365 Admin Center. If you need to change the username prefix then you must use PowerShell.


  • Logon to PowerShell
  • Run the following cmdlet
  • Set-MsolUserPrincipalName -UserPrincipalName bob.two@mycloudsounds.com -NewUserPrincipalName bob.twotwo@mycloudsounds.com


No friendly warnings in PowerShell it just does it!

I would also take the time to modify the on-premises UPN as it prevents confusion in the long run with support if all values are the same. You can do this in various ways but my particular favourite is:

  • Set-mailbox bob.two -UserPrincipalName bob.twotwo@mycloudsounds.com

What is an HSM in Office 365’s Azure RMS?

Security is a big focus for Microsoft, especially with Office 365; their enterprise-class data centers are some of the most secure in the world.  Above and beyond data center security, Microsoft has implemented technologies that allow organizations to further secure their data, even from Microsoft themselves.  One way this is done is with Rights Management Services, or RMS.  The mile high explanation for RMS is that it “provides the ability to safeguard sensitive information created using Office applications and services such as email or other memos or correspondence that requires confidential treatment. Rights are assigned to content when it is published and the content is distributed in an encrypted form that provides persistent protection wherever the content travels. Rights that can be assigned include the ability to allow or deny viewing, printing, copying of messages or documents as needed using template-based assignment.” (http://technet.microsoft.com/en-us/library/jj585024.aspx)

“Well, that’s great – but if Microsoft is securing their own data, how does that prevent their own engineers from decrypting the data themselves,” you ask, long-windedly.  That is done by deploying a Thales Hardware Security Module, of course referred to as an HSM.  According to Thales, “Thales nShield HSMs create tight controls around the management and use of the keys used by Microsoft Rights Management Services (RMS)” and “Thales nShield HSMs ensure that your key is always under  your control and never visible to Microsoft. The capability neutralizes the  perception that sensitive data maintained in the cloud is vulnerable because  the cloud can only be a shared service with a shared security infrastructure.”  Thales provides a 3rd party security mechanism to encrypt RMS data, leaving even Microsoft in a position where they need to gain access to the security mechanism in order to decrypt the information – an action that can be logged, with logs that are visible to the tenant owner.


“Okay,” my skeptical reader thinks, “but if Thales is held in the data center, Microsoft can just access Thales to get the key.  Logged or not, they still have access to my data.” Microsoft and Thales are on top of that one, too, by allowing organizations the option of Bring Your Own Key or…you guessed it, BYOK.  Per Thales, “Organizations subscribing to Windows Azure RMS in the cloud can choose to generate and maintain custody of their own key independent of Microsoft”.  This means you have the option to revoke your key, rendering RMS-encrypted data unreadable.  Future capabilities even include the option “lend” your key to Microsoft for short periods of time, meaning that revocation would not need to be proactive; rather, permission would need to be persistent to keep functionality, maximizing security of the data.


So, as you can see, organizations can secure their data, using Azure RMS, from even Microsoft themselves.  This functionality comes “out of the box” with Azure RMS, no added hardware or licensing purchases required.

The images used are from the Thales cloud security solution brief, which can be found/downloaded here: http://www.thales-esecurity.com/msrms/cloud

Windows Azure Active Directory: Self Service Password Reset Portal

One of the new features of Windows Azure Active Directory is the Self Service Password Reset Portal. A feature that was available for Administrators already but not the end-users.

The first thing that you need to do is to Sign Up the premium features of Windows Azure Active Directory.

  • Go to the Windows Azure management portal: http://manage.windowsazure.com
  • Go to Active Directory
  • Select your Directory
  • Sign Up for features in preview
  • Select Windows Azure Active Directory Premium
  • Connect it to a Subscription



Once the signup is complete go back to your directory and you’ll see a button  Enable Active Directory Premium


Select the number of contacts methods are required and which are available to users. You can choose to use the mobile phone number.This means that before users can do a full password reset they need to register their mobile number or the administrator has to make sure that there is some kind of system in place that does it for them. Don’t forget to activate the password reset before by selecting All.

attention Attention, the mobile number must be well formatted. E.g. +32123456789 will not work it has to be +32 123456789. Mind the space between +32 and 123456789. When the user registers the mobile number through the portal it is correctly formatted.

The url for the registration is : https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx

  • Enter your mobile number
  • Choose if you want a text or an automated call
  • Enter the received code



Once this is done, we can do a password reset. Go to https//login.microsoftonline.com and click on Can’t access your account. Enter your username & the captcha showing on the screen. Click on Next.


Now we enter the password reset procedure. Choose your telephone number if you have multiple and click on Next


Select if you want to be contacted by text or automated call. Click Next and enter the code you’ve received.


If your were successful in this step you’ll get the opportunity to change your password.